Posts Tagged Regulatory

Risk Management Requirements for Post-market Surveillance for Medical Devices

Risk Management Requirements for Post-market Surveillance for Medical Device

Risk management requirements for post-market surveillance for medical devices

 Risk management requirements for post-market surveillance for medical devices

Medical Device Regulation: what is it about?

The EU’s Medical Device Regulation (MDR) is a hot topic in healthcare and a major concern for companies since 2017. It was officially published on 5th May 2017 and came into effect on 25 May 2017. The MDR is supposed to replace the current EU documents, Medical Device Directive (93/42/EEC) and Directive on active implantable medical devices (90/385/EEC).

Manufacturers of currently approved medical devices were given a transitional period of 3 years, till the 26th of May 2020, during which they had to reorganize the operations to meet the requirements of the MDR. An amendment to the MDR was adopted on 24 April 2020 by European Commission, which postponed the application of most of its provisions by one year, until 26 May 2021. However, certain devices that meet special requirements can be granted permission to extend the transition period till the 26th of May 2024.

Post-market surveillance: what’s new

Articles 82 through 86 and Annex III of the EU MDR describe the requirements for a post-market surveillance system (PMS), making PMS mandatory, and those manufacturers who want to remain in compliance with new MDR are obliged to re-organize the PMS system and Vigilance System following the new requirement.

The PMS process is the collection and analysis of the data that comes from the various sources according to Annex III and is carried out according to a PMS plan for each product. There are various purposes for which this data can be used, such as:

  • Update of the benefit-risk determination and improvement of the risk management;
  • Update of the design and manufacturing information, the instructions for use and the labeling;
  • Update of the clinical evaluation;
  • Update of the summary of safety and clinical performance;
  • Identification of needs for preventive, corrective or field safety corrective action;
  • Identification of options to improve the usability, performance and safety of the device;
  • Contribution to the post-market surveillance of other devices (when relevant);
  • Detection and reporting of trends.

Risk management requirements for post-market surveillance for medical devices

With PMS becoming a duty for medical device manufacturers, the effective risk management system becomes a priority as well as one of the three basic elements that ensure compliance and safety, alongside with PMS and clinical evaluation (see Image 1).

According to the MDR, manufacturers are expected to provide evidence of a risk management plan created for the whole lifecycle of products. Such plans should be used for tracking and reducing any potential hazards and ensuring the safety of the devices.

The MDR references to the following risk-related key notions:

  • Risk is defined in Article 2 as “the combination of the probability of occurrence of harm and the severity of that harm”;
  • Benefit-Risk Determination is defined in Article 2 as “the analysis of all assessments of benefit and risk of possible relevance for the use of the device for the intended purpose, when used in accordance with the intended purpose given by the manufacturer”;
  • General obligations are defined in Article 10 in the following way: “Manufacturers shall establish, document, implement and maintain a system for risk management as described in Section 3 of Annex I”;
  • The Quality Management Systems shall address the following matter – “risk management as set out in in Section 3 of Annex I”[1]

Risk Management for Medical Devices

The following requirements by the MDR should be addressed in order to ensure compliance and correct benefit/risk management:

  • establish and document a risk management plan for each device;
  • identify and analyse the known and foreseeable hazards associated with each device;
  • estimate and evaluate the risks associated with, and occurring during, the intended use and during
  • reasonably foreseeable misuse;
  • eliminate or control the risks referred to in point (c) in accordance with the requirements of Section 4;
  • evaluate the impact of information from the production phase and, in particular, from the post-market
  • surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio and risk acceptability;
  • Amend control measures if necessary.

What else is there to keep in mind?

In 2019, a new ISO 14155:2018 draft will be published and will contain changes on pre- and post-market clinical investigations for medical devices. It is expected that the new, third revision will contain more explicit and thorough indications on risk management. Additionally, it will be closely tied to the risk management requirements outlined in ISO 14971.

Other significant changes in the new ISO 14155:2018 draft include:

  • Guidance on clinical quality management, clinical investigation audits and ethics committees
  • Risk-based monitoring requirements
  • Registration of clinical investigations in publicly accessible databases
  • Clarifications on how ISO 14155 requirements apply to each stage of clinical development
  • Annexes relating ISO 14155 to the European Medical Devices Regulation, and to the Medical Devices Directive (MDD) and Active Implantable Medical Devices Directive (AIMDD).

Useful Medical Device Regulation terminology

  • MDR – Medical Device Regulation
  • PMS – Post Market Surveillance
  • PIP- Poly Implant Prosthesis
  • MDD – Medical Device Directive
  • FDA – Food and Drug Administration
  • PMCF- Post Market Clinical Follow-up
  • CER – Clinical Evaluation Report
  • RM – Risk Management
  • PSUR- Periodic Safety Updated Report
  • PMSR – Post Market Surveillance Report
  • SSCP – Summary on Safety and Clinical Performances
  • SAE – Serious Adverse Event
  • IFU – Instruction For Users

Are you looking for technological solutions to facilitate clinical trials and adverse events management for your Medical Device products? Arithmos offers such solutions as Symphony, flexible and easy to set up EDC system, and Argus BluePrint, pre-validated and pre-configured version of Oracle Safety, that ensure compliance and security of the processes for Medical Device companies. Arithmos, alongside its sister company seQure Life Sciences, can also support companies in a consultative way by making sense of the MDR and analyzing a company’s needs in terms of quality assurance and regulatory compliance. We can support with an initial gap analysis and risk assessment regarding the MDR.

Contact us to learn more about our Medical Device solutions.

[1] BSI: MDR – Risk and Clinical Requirements

How to Break Down the Data Silos in Life Sciences Companies

How to Break Down the Data Silos

How to Break Down the Data Silos in Life Sciences Companies

In Life Sciences industry, making sense of data becomes increasingly challenging due to its growing volume, introduction of new and complex technologies and increase of stakeholder numbers.

Introduction of the right data reporting and analytics solution at the corporate level allows Life Sciences companies not only to streamline the collaboration within the company by breaking down the silos between the departments but also to improve the decision-making process and optimise technology investments.

On July 8, Arithmos hosted a complimentary webinar on using data reporting and visualisation for breaking down the silos in Life Sciences companies. The webinar was conducted by Silvia Gabanti, Managing Director of Arithmos, and Massimo Businaro, CEO of E-project.

Continue reading to learn how effective data reporting and visualisation can improve the decision making at multiple levels, increase operational efficiency, and break the departmental silos.

Register now to get free access to webinar recording

Data Ecosystems in Life Sciences companies

Rapid technology advancement and new regulations benefit patients and speed up clinical trials. However, they also increase the amount of data generated daily. Real World Data, Internet of Things, ePRO – all these technologies allow to multiple the amount of data that a company deals with on a daily basis.

Data is the new fuel for Life Sciences businesses and source of competitive advantage; it drives innovation and stimulates growth.

Currently, despite the enormous potential of this newly generated data, a lot of pharmaceutical companies are suffering from the data silos issue. It manifests itself in an inability to share data across departments, the presence of multiple data repositories, and the absence of a clear picture of the company’s data.

As data is often stored in multiple tools and locations, data silos severely impact the departments’ ability to collaborate and harm scientific discovery and drug development.

Data silos are caused by multiple reasons:

  • Every department has its own data repository isolated from the rest of the organisation
  • Silos tend to arise naturally in organisations over time because each department or business function has different goals, priorities, responsibilities, processes, and data repositories.
  • Legacy solutions don’t prioritise sharing data to other departments while maintaining data segregation, reduce the flow of information to what is considered strictly necessary

The challenge of data silo is normally recognised but often not addressed in a strategic and planned way, especially by small and medium companies.

Elimination of data silos and the creation of free data flow between the departments is the secret to transforming data into fuel for the company’s growth.

Breaking Down the Silos

If a pharmaceutical company plans to break down the data silos and use data to improve its performance and deliver its solutions to the market in a faster and more efficient manner, it should handle a cultural and structural change.

This can be done in 5 steps:

  1. Identify the cause of the company’s silo problem and the main impacted areas (ex. Pharmacovigilance department)
  2. Get management to buy in
  3. Define a scalable technology strategy that covers structural and cultural aspects of the change
  4. Embrace a corporate advanced reporting and analytics solution to create a bridge between the departments
  5. Invest in a process review and cross-functional training

Step 1: Identify the Cause of Silos and the Main Impacted Areas

Identifying the data management inefficiencies that impact company’s performance is very challenging. This is particularly true in small and medium companies without a Chief Data Officer who advocates the importance of collecting and leveraging data in decision-making.

In this case, the first step is to identify a business area that relies the most on data and rationalise the way it collects and manages information. This department will be the “Front door” of the change.

A good example is pharmacovigilance department. It is often perceived as a pure «cost» for the company, but that is key business unit in terms of regulatory compliance and patient safety.

Pharmacovigilance departments need to continuously improve their processes to reduce department costs. On the other side, they are under great pressure because of strict regulations and necessity to work closely with other departments (like regulatory affairs and clinical research) that have their own, completely different business goals.

Breaking down the data silos between pharmacovigilance and other departments eases the cooperation and allows faster and more robust decisions based on data analysis and visualisation, safeguarding patient’s health more efficiently.

Step 2: Get the Management to Buy In

To break down the data silos by introducing a cross-departmental reporting solution, you need to get the upper management to buy in.

Getting rid of data silos helps each individual department and the entire organisation by:

  • offering them the big picture of the company’s data
  • aligning company’s long-term goals and department objectives
  • reducing the conflict between departments providing clear guidance on corporate priorities and avoiding conflict between personal objectives and corporate growth
  • engage corporate stakeholders like IT which should be more conscious of the business goals and act as opinion leaders

Step 3: Define a Scalable Strategy

Pharmaceutical companies can find it challenging to decide which technology solution to choose or when to eliminate redundant technology.

This challenge can arise from biases in business decision making, which in turn can be caused by the following reasons:

  • advocating previous choices (technologies, consultants, processes)
  • sticking to the company’s previous habits
  • lack of appropriate decision-support tools

To ensure the appropriate allocation of funds and minimal disruption to the company’s work during the period of change, it is critical to consider the change as a program. Optimisation of data management and data reporting should be included in a company’s defined roadmap.

This means that Work Breakdown Structure (WBS) approach should be followed – below you can find an example of WBS for defining activities of the project aim at breaking down the data silos.

How to Break Down the Data Silos in Life Sciences Companies

Step 4: Embrace Advanced Reporting and Analytics Tools

Most pharmaceutical companies manage different systems that contain heterogeneous and disparate data.

This gives rise to two challenges:

  • Optimisation of the access to the information of the specific business systems (QA, PhV, RA databases)
  • Increase of the ability to share data by rationalising and connecting these systems

Introduction of an advanced reporting and analytic solution allows pharmaceutical companies to:

  • Support operational teams with data analysis and reporting and reduce manual elaboration of the data. This is not only time consuming, but also increases the risk of regulatory non-compliance
  • Allow the managers to effectively oversee operational teams. This includes:
    • Identifying challenging and ineffective processes
    • Improving KPIs
    • Obtain data that supports the decision-making process
  • Integrate external data in a smooth manner
  • Merge and evaluate data coming from different business areas to allow to identify in real time inconsistencies, carry out data reconciliation, avoid duplicating information between the systems, speed up the regulatory reporting, and increase data quality.

Step 5: Invest in Process Review and Cross-functional Training

Social change is a key step in breaking down the silos – all stakeholders must be fully committed to the successful result from the very beginning.

It is extremely important to share the company objectives both with management and operational teams. The management can define the strategic and economic advantages, but only the resources involved in the data management can identify the real bottlenecks that this solution can destroy.

The involvement of the teams during the requirements gathering, organisation of cross-functional workshops and training during the entire program development can improve the quality of the new processes and tools. What is more important, it can also break down the cultural silos (together with the data ones) reducing the change resilience and building relationships and corporate culture.


Companies can unlock the full data potential and optimize internal processes, and improve decision making by breaking down the data silos and allowing data to flow freely. Advanced data reporting and visualisation solution is a key step in this process alongside cultural and structural change.

The destruction of the data silos in Life Sciences companies can result in streamlined delivery of drugs to the market and more efficient work of all the departments, benefiting patients and allowing companies to safeguard their health more effectively.

Register now to get free access to webinar recording to learn more about breaking down the silos in Life Sciences companies

Clinical Oversight Solution: How to Select the Right Vendor

Clinical Oversights How to Select the Right Vendor

Clinical Oversight Solution: How to Select the Right Vendor


On June 2017 ICH GCP E6 (R2) entered into force, introducing new guidelines and increasing the responsibility of the Sponsor when it comes to outsourcing the activities to the CROs.

 “The sponsor should ensure oversight of any trial-related duties and functions carried out on its behalf, including trial-related duties and functions that are subcontracted to another party by the sponsor’s contracted CRO(s).”

Clinical Trial Oversight – 5.2.2. Addendum

After ICH GCP E6 (R2) entered in force, sponsors needed to face the following obligations:

  • Checking if the quality requirements, agreed with the CROs, have been met
  • Confirming if the project execution, by the CRO, is aligned with expectations
  • Implementing a risk-based QMS throughout the clinical trial

The reasons that brought the authorities to update the ICH GCP regulation are clear: on one side the increasing complexity, scale, and overall costs of the clinical trials, on the other – the strong shift from a paper-based clinical trial process to digital-based one.

Challenges in ensuring oversight

Although now CRO oversight is considered to be a top priority for the sponsors, it is also true that designing and implementing oversight process is extremely challenging. Introducing a technology solution is the most efficient way to ensure the oversight due to the amount and complexity of data that needs to be analysed.

In order to perform oversight efficiently, this solution needs to:

  • Give a global overview of all the company vendors involved in each study
  • Convert non-homogeneous data into a format that is homogeneous and allows easy comparison, control and performance analysis, for example the visit frequency analysis

As very few sponsors are already in possession of such solution, it needs to be acquired externally through a vendor selection process.

Technologies for ensuring oversight

There is a number of tools that the sponsors can adopt as part of their oversight strategy. The two most widespread are Clinical Trial Management System (CTMS) and Oversight solution.


CTMS is a type of software that merges the data from different sources and allows the sponsors to analyse it. CTMS is one of the most common tools on the clinical market and has planning and reporting functions that include participant contact information, deadlines, and milestones.

The main CTMS constraint is the low level of customisation of the tool due to limited integrated customization capabilities. With each CRO having its own report template, it is difficult to accommodate this variety with one CTMS, so only a limited number of studies and CROs can be overseen with it.

Additionally, a CTMS was born as a clinical tool, which limits the inclusion of other data like procurement and pharmacovigilance.

Clinical Oversight solution

A clinical oversight solution is another option that can be used by a sponsor in order to comply with the Addendum of ICH GCP E6 (R2).

An oversight solution is more than a software, it is a complex package that includes the following elements:

  • Business analysis activities to understand the need of the sponsor and review the types of data submitted by CROs
  • Software that covers clinical, procurement, and pharmacovigilance aspects of the study
  • Maintenance services and configuration of the reports of the new CROs

Oversight solution allows creation of multiple dashboards thus being able to accommodate different formats of incoming data, which makes it a perfect tool for sponsors that have multiple CROs and multiple studies.

Being more complex than a CTMS, oversight solution also comes at a higher price.

In this article we will be focusing on the selection of a vendor for oversight solution, as it is more flexible and allows the inclusion of a higher number of CROs and studies.

Oversight solution: vendor selection

Step 1: Kick Off Meeting

During this step the sponsor plans the project activity, defines roles and responsibilities, timeline, budget restriction, and the outputs. It is critical to include the following participants who will be the key figures in the process:

  • Project manager
  • Business owner
  • IT team representative (system owner)
  • Key user that uses the data provided by the CROs; for example, a data manager

Step 2: Defining Business Requirements

The sponsor should list the main requirements for the oversight system. The best approach is starting with the higher level expectations and defining only 5-7 main points. They help to understand the key micro-areas and to create a shortlist of the solutions available on the market.

Step 3: Vendor Selection and Assessment

At this step the sponsor works with the shortlist of the oversight solution vendors compiled previously. Normally, the shortlist includes 3-5 solutions. The following actions will help to filter out the least suitable vendors and define the main candidates:

  • Send to the vendor candidates a survey that gathers information of the size of the company, its capabilities and its ISO certificates
  • Set up a demo appointment and share the list of the oversight requirements during the demo. The advised time is 1-1.5 hours
  • Request a ballpark estimate
  • Create an evaluation matrix based on the survey and demo outcomes in order to understand which vendor has the highest score

When it comes to requesting the ballpark estimate, it is vital to keep the following in mind:

  • All the potential vendors should receive the same description with the same requirements. The more precise and coherent the request, the more likely the different proposals will be comparable.
  • The more flexible the solution, that the vendor offers, the less technical adjustments will be needed, allowing the sponsor to lower the expenses.
  • Aside from the main ballpark estimate, it is important to keep in mind additional costs, like CRO onboarding and data dashboards personalization.

Step 4: Vendor Confirmation

Once the vendor is chosen, the sponsor conducts an audit and verifies the vendor’s compliance and the internal processes. This can either be done directly by the vendor or can be outsourced to an external consultant.

In case of a successful audit, the collaboration with the vendor is formalized with an appropriate contract.


Each of the four steps are very important for making the right choice and ensuring compliance. However, the most critical step is defining the requisites and the expected results. The correct definition at this stage is the secret for the successful oversight and smooth collaboration.

Sponsors need to make sure that they involve all the stakeholders in the definition of the requisites and avoid the silos between the departments. If such key stakeholders as business department and IT teams are interested in different characteristics and have different expectations, sponsor needs to ensure that it shortlists the solutions that are a good trade-off for both of them.

Given the increasing outsourcing trend in clinical trials, it is not surprising that ICH E6(R2) was introduced, as it allows to address, in more detail, the relations between the sponsors and third parties. ICH E6(R2) has changed the way the information circulates between the sponsors and the CROs and has pushed the companies towards adopting new technology to collect, organize, and share the information in a more efficient and cost-effective way.

How can we support you?

Arithmos has extensive expertise in oversight vendor selection. We support you at every stage of the vendor selection, from business analysis to solution integration. Our extensive knowledge of oversight allows us to choose and customize for you an oversight solution that guarantees efficiency and compliance.

Contact us to learn more about our oversight vendor selection support.

Breaking Down The Silos: First Step Towards Fruitful Collaboration

Breaking Down the Silos Regulatory Day

Breaking Down the Silos Regulatory Day

Breaking Down The Silos: First Step Towards Fruitful Collaboration

On the 10th of October the top industry professionals gathered in Madrid, Spain, for Regulatory Day, an immersive workshop organized by Arithmos in collaboration with its partners Oracle Health Sciences and Asphalion.

The event, entitled “Breaking Down The Silos: Product Development Journey through Post-Marketing: EMA vs FDA” brought together the best regulatory, QA, clinical, and pharmacovigilance specialists to discuss how they can collaborate to make the product development journey through post-marketing as efficient as possible both in EMA and FDA regulatory environments.

The Regulatory Day agenda was divided into three sessions, each of them dedicated to a different aspect of product development:

Session #1 Comparison of EMA and FDA Regulatory Landscape in Clinical Trials

  • Introduction to FDA and EU Regulatory Activities for Drug Development and Clinical Trials – Lidia Canovas (Asphalion) and Bruce Thompson (Reguliance);
  • Integrated Summaries: Strategies for Meeting Regulatory Challenges Faced by Sponsors – Marta Zanus (CROS NT);
  • Pre-Marketing Safety Reporting & Signal Detection – Una Kessi (Oracle Health Sciences);

Session #2 Post-Market Regulatory

  • Comparison of US vs EU Regulations, Procedures, Requirements, Practical Examples and Submission Format – Lidia Canovas (Asphalion) and Bruce Thompson (Reguliance);
  • Surveillance and Safety Obligations after Approval – Una Kessi (Oracle Health Sciences);
  • Post-authorisation Studies in the EU: PASS and PAES – Stefania De Santis (seQure);

Session #3 Impact of Technology on Regulatory and Vice Versa

  • The (R)evolution of Technology in the Pharmaceutical Sector – Marcos Fernàndez Gómez (Asphalion);
  • Digital Transformation in Clinical Trials: eClinical Selection and the Regulatory Impact – Silvia Gabanti (Arithmos);
  • How AI and Cloud are Impacting Multivigilance – Michael Braun-Boghos (Oracle Health Sciences);
Breaking down the silos - Regulatory Day

Silvia Gabanti, Arithmos Managing Director, at Regulatory Day

Roundtable discussions

The final part of Regulatory Day engaged the event guests in the roundtable discussions on where the market is moving and invited them to share their own experience in breaking down the silos between departments in their companies.

  • Roundtable #1: Regulatory Challenges in the Industry: EU vs FDA, Brexit, and IDMP
  • Roundtable #2: Breaking Down the Silos between Regulatory Affairs, Safety, and Clinical R&D

Breaking Down the Silos: Complexities and Benefits

The information flow between various departments involved in medicinal product development is not always straightforward, especially when it comes to large companies. Due to the structural obstacles and lack of time caused by pressing deadlines regulatory, clinical, and safety professionals might not fully comprehend the work done by other departments.

Collaboration and continuous information exchange between different professionals that work either in EMA or FDA environment favour the acceleration of product development and increase efficiency. Regulatory Day gave participants a sneak peek into the work of their colleagues and challenges they face, inviting them to explore new ways of collaboration.

Interested in other Arithmos events?

PM Holding Appoints Angela Weston as Chief Commercial Officer

Angela Weston Chief Commercial Officer

PM Holding Appoints Angela Weston as Chief Commercial Officer

Angela Weston Chief Commercial Officer Verona, Italy (11 September 2019) – PM Holding, a group of diverse service providers in the life sciences industry, announces the appointment of Angela Weston as Chief Commercial Officer to manage business development operations across the entire group.

PM Holding consists of specialized service providers in the drug and device development sector including:

  • CROS NT (global, expert biometrics CRO);
  • Arithmos (technology solution provider and system integrator);
  • seQure Life Sciences (niche provider of vigilance, quality assurance and regulatory services).

Angela brings a wealth of experience in business development, marketing and product management roles at a global level for multinational companies in the pharmaceutical, medical device and CRO environments. She started her career in Nursing moving into sales with B.Braun and Boston Scientific, she later moved into the CRO sector with Premier Research Group, Aptiv Solutions (ICON plc) and Inventiv Health (Syneos Health). Angela has an impressive track record of implementing strategies to support global sales, marketing and proposal management with a thorough understanding of our industry and client needs.

The decision to hire a CCO comes at time when the PM Holding group of companies are expanding globally and offering more comprehensive services to the market especially in the area of digital health.

Paolo Morelli, CEO and Owner of PM Holding, said, “we are at a crucial, yet exciting, phase in PM Holding where we are developing new solutions to meet market demands in data science, digital health and overall oversight and quality in clinical trials. It’s a collaborative effort, and I am confident that Angela’s experience and industry knowledge will help us identify our key markets, positioning and message. Her success in implementing successful business development and marketing infrastructure and strategies to enable company growth speaks for itself”.

Angela commented, “for the past several years I have supported companies to develop value generation strategies, and therefore I see PM Holding as a great opportunity and fit for me. The companies under the PMH brand have huge potential both individually and collectively to offer impeccable quality services and innovative solutions to our clients in the global marketplace and I am excited to be part of this growth phase”.

Angela is based in Europe.

It’s Data Protection Day!

Data protection Day 2019

Data protection Day 2019

It’s Data Protection Day!

Did you know that January 28th is Data Protection Day? The Council of Europe launched this commemorative day in 2007, and two years later, the USA joined the initiative. We fully support this initiative, and as a technology company that operates in the Life Sciences sector, we recognize this important day by sharing six facts about data privacy in the healthcare sector.

Fact #1

The most significant and recent data privacy law is probably the EU General Data Protection Regulation, better known as GDPR. It is a set of more than 250 pages approved by the European Parliament, the Council of the European Union and the European Commission. The GDPR has replaced the previous Data Protection Directive 95/46/EC from 1995 and has introduced cohesive rules for ensuring that the EU population is aware of how their personal data is handled.

Fact #2

In regards to health data, GDPR defines three types of data that require special protection: data concerning health, genetic data, and biometric data.[1]

Fact #3

Back in 2017, 54% of healthcare professionals thought that the responsibility for getting medical records from one healthcare facility to another lied with healthcare professionals/facilities. However, the responsibility should lie with both patients and professionals/facilities (57%).[2] We wonder: how did the situation change in the last year and half?

Fact #4

In the USA, privacy and security of health data is governed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. They set the requirements for limits on how health information can be used and shared with others and how it should be kept secure with administrative, technical, and physical safeguards.

Fact #5

Speaking of American legislation, in 2018, American Congress attempted to enact a bill that could align 42 CFR Part 2’s standards with HIPAA. The draft legislation would have permitted providers to share information about patients subject to 42 CFR Part 2 for the purpose of treatment, payment, and operations.

Fact #6

Even though the notion of data privacy is often linked to the notion of security, security is not always sufficient to ensure privacy. Privacy can be defined as the ability to protect sensitive information about personally identifiable health care information, while security can be described as the protection against unauthorized access, with some including explicit mention of integrity and availability.[3]

There are many ways to ensure the security of health data, and one of them is opting for a partner that has implemented best practices in this area including internationally recognized certifications, such as ISO 27001. ISO 27001 is the most famous standard in the family providing requirements for an information security management system (ISMS). It guarantees, that a company maintains the confidentiality, integrity, and availability of personal health and patient data and information.

If you want to learn more about importance of ISO 27001 in healthcare sector, we invite you to have a look at this material.

We in Arithmos take great pride in honoring data privacy and security, and ensure that all our products and internal processes are compliant. We are also ISO 27001 certified, and we are thrilled to say that we have confirmed this status with a re-certification in December 2018.

Want to know more about privacy and security in the healthcare sector? Send your questions at!  

[1] General Data Protection Regulation

[2] Future Health Index 2017

[3] Karim Abouelmehdi, Abderrahim Beni-Hessane, Hayat Khaloufi: Big healthcare data: preserving security and privacy

Why Should Pharma Companies Include Clinical Trial Oversight in Their Strategy?

Why Should Pharma Companies Include Clinical Trial Oversight in Their Strategy?

Why Should Pharma Companies Include Clinical Trial Oversight in Their Strategy?

The ICH-GCP update which came into effect on June 14, 2017 had among its main elements the “Clinical Trial Oversight” topic.
The E6 R2 revision reminds principal investigators of their crucial role 3 activities performed at their clinical sites: delegation, conduct and oversight. The latter plays now a larger role: sponsors are responsible for a way more insightful oversight, including each and every duty performed by external companies included in their outsourcing strategy. Furthermore, a more comprehensive risk-based approach is required with the aim of preventing systematic errors rather than correcting already occurred issues.

Since clinical trial oversight is gaining every day more relevance in life sciences global environment, pharmaceutical companies are slowly understanding its value and looking for different strategies to successfully adopt a clinical trial oversight solution.

In the following infographic, Arithmos Life Sciences IT experts have summarized the why pharma companies should include a clinical trial oversight strategy analyzing both internal and external needs; leading to a 3 steps guide for a successful Clinical Trial Oversight implementation.

Arithmos Clinical Trial Oversight

To download the Infographic click here.

Are you ICH GCP E6 R2 compliant?

Have a chat with our experts to know how we can support you throughout the whole clinical trial oversight requirements identification and implementation processes

ICH GCP E6 (R2) – Are pharma companies ready to ensure Clinical Trial Oversight?

“ICH GCP E6 (R2) – Are pharma companies ready to ensure Clinical Trial Oversight?” is locked ICH GCP E6 (R2) – Are pharma companies ready to ensure Clinical Trial Oversight?

ICH GCP E6 (R2) – Are pharma companies ready to ensure Clinical Trial Oversight?


It’s been more than a year since the ICH GCP E6(R2) addendum became effective. The reasons which brought the Authorities to update the ICH GCP regulation are clear: on one side the increasing complexity, scale and overall costs of the clinical trials, on the other the strong shift from a paper-based clinical trial process to an electronic data capture and management one. Among the phases mentioned in the addendum (clinical trials design, conduct, oversight, recording and reporting) the oversight is gaining each day more relevance:

  • Are projects performing as planned?
  • Are partners respecting quality agreement?
  • Are the documents produced by partners enough and effective?

Pharmaceutical and Biotech companies are required to implement a more structured and comprehensive monitoring of their projects. In particular, the addendum focuses on the relationship between sponsors and CROs, as stated in the addendum to article 5.2.2.:

The sponsor should ensure oversight of any trial-related duties and functions carried out on its behalf, including trial-related duties and functions that are subcontracted to another party by the sponsor’s contracted CRO(s)”.

What is Clinical Trial Oversight?

A set of processes put in place by the Sponsor and the CRO aimed at providing the former with an updated, constant overview on CRO’s performances, deliverables and results.

What is Clinical Trial Oversight Objective?

Enhance a more transparent and efficient communication about projects’ status, timelines and results between Sponsors and CROs ensuring global alignment   

But, if for Sponsor CROs’ oversight is considered to be a #1 priority, it is also true that most of companies find it extremely difficult to design and implement a shared and efficient set of processes to reach this goal. As the GCP states, digital transformation in Life Sciences industry led to enormous changes, representing at the same time a great opportunity and a challenging reorganization. Thanks to IT innovations, information, data and documents can be now collected, organized and shared in a more efficient and cost-effective way. The other side of the coin is that these disruptive modifications are not often included in a comprehensive digital strategy, leading to a lack of integration of the different applications utilized by the company’s departments. What does this mean?

  • Resources devoted to the download and the up-load of data from one application to another;
  • Compliance issues related to the System Validation of the different platforms (CSV);
  • Great increase of the risk of human mistakes due to data manipulation;
  • Risk of out-dated reports for the management team;
  • Delays in activities with a significant impact on the study budget.

As it has been widely discussed in the last months, the ICH GCP E6 (R2) put the need of a Risk-Based Quality Management System under the spotlight. In fact the Addendum 5.0 states:

The sponsor should implement a system to manage quality throughout all stages of the trial process. […] The methods used to assure and control the quality of the trial should be proportionate to the risks inherent in the trial and the importance of the information collected.”

Companies are therefore required to implement a risk-based QMS to support each phase of the whole trial. The adoption of a Clinical Trial Oversight allows real-time monitoring of specific compliance and processes KPIs, identified during the risk analysis phase. This embraces the philosophy introduced by the ICH E6 addendum encouraging the use of improved and more efficient approaches/ tools to clinical trial oversight in order to avoid unnecessary complexity, procedures, and data collection.

It is clear: clinical trial oversight represents a mandatory requirement both from a regulatory perspective and from a strategic management point of view. The path towards the successful implementation of such a widespread improvement cannot be considered easy, but 3 main steps that every Sponsor should follow in order to ease the process have been identified:

  1. Requirements Analysis

    As a first step, it is fundamental to create a detailed map of the stakeholders (internal or external) involved in every activity, their responsibilities, tasks, data produced and of course, IT applications utilized. This analysis will help in the identification of the specific Sponsor’s requirements;

  2. Oversight Model Evaluation

    Having a clear overview of the requirements, it is now time to evaluate the multiple ways an Oversight process and consequently system can be designed and implemented. Is it better to introduce a horizontal global application? Would a central integrated projects management and control cockpit be the best choice? In this phase these questions will find and answer;

  3. Oversight System Implementation

    Requirements have been identified, alternatives evaluated and the best solution was found. Sponsor and CROs approach now the final phase: the pragmatic creation of a more connected and integrated environment where it is possible for the Sponsor to examine data, monitor activities and have a real-time overview of CRO’s performances.

As stated in the previous paragraphs, these 3 macro phases involve several actors performing multiple processes, for this reason, the role played by Quality Assurance Department is crucial. Ensuring a streamline risk-based QA Management system (Standard Operating Procedures, Quality Manuals, Policies…) throughout all stages of the trial process allows Sponsors to meet regulatory requirements avoiding compliance pitfalls.


Is your company compliant with Clinical Trial Oversight GCP?

We at Arithmos have developed a comprehensive approach for Clinical Trial Oversight Management: from requirements analysis to the vendor selection and implementation of the solution. In collaboration with its strategic partners, Arithmos also provides complete support in the re-organization of Quality Systems using the Risk-Based Approach. Would you like more info on this topic? Just send us an email!

GDPR, What It Is, What Does It Change and What Do You Risk If You Are Not Compliant

“GDPR, what it is, what does it change and what do you risk if you are not compliant” is locked GDPR, what it is, what does it change and what do you risk if you are not compliant

GDPR, what it is, what changes and what do you risk if you are not compliant

Less than 3 months separate us from the moment the GDPR will become effective. It is therefore fundamental for companies to better understand what actually GDPR is and which consequences it will imply in their daily routine, especially in Life Sciences, industry characterized by an incredible amount of sensitive data.

What Actually is EU General Data Protection Regulation (EU GDPR)?

The EU General Data Protection Regulation is a set of more than 250 pages approved by the European Parliament, the Council of the European Union and the European Commission. The GDPR will replace the previous Data Protection Directive 95/46/EC from 1995. It is easy to understand, due to the technological innovation and the huge shift to a data-driven approach, why an update was more than necessary.

If you are asking yourself why should you be interested in GDPR, well, consider that it will imply a greater boost for compliance: fines up to €20M or 4% of global turnover.

What are the GDPR main objectives?

As stated in the homepage of the website, “The EU General Data Protection Regulation (GDPR) […]  was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

The GDPR objectives are therefore 3:

  1. Increase homogeneity of data privacy laws in the Euro area, this might be directed especially to those organization working in multiple countries;
  2. Ensure that EU population is conscious of the data organizations obtain about them and how they will be used;
  3. Deeply reorganize the way companies collect, manage, analyze and share data.

Despite the different actors involved it is easy to spot the global comprehensive pattern that lays under the  New Privacy Regulation: these pages concern the rights of the individuals over the personal data, explaining how they can be obtained, what can or can not be done with them and how the organization must guarantee their protection.

What is Personal Data?

The Article 4 provides a wide definition of Personal Data which include:

  • Name, address and unique identifying numbers (IP address, cookie strings…);
  • Demographics—age, gender, income…;
  • Behavioral data — web searches chronology, purchase history…;
  • Social data—your friends’ list, emails, messages…;
  • Sensor data—biometrics, health tracking devices…;
  • User-generated content — videos, photos, blogs or comments.

Concerning only personal data, the GDPR do not consider anonymized data, there is although a big BUT: if data, even anonymized ones, can somehow lead to an individual (for example by the combination of different data sources), then this information is defined as personal.

The actors involved in the GDPR

Who is or What constitutes a Data Subject?

GDPR defines the data subject as a natural person, which could therefore, be your customer, employee or, concerning clinical trials, your patient.

Who is or What constitutes a Data Controller?

The Data Controller a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”  It has therefore to be considered the company at the beginning of the data request workflow.

In Life Sciences industry it can be identified with the sponsor, the Academic Institution or the Contract Research Organization (CRO).

Who is or What constitutes a Data Processor?

The Data Processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Those entities who actually handle the personal data under the mandate of the controller, for example, IT companies that manage or administrate a client’s database.

The Geography of The GDPR: Which are the Controllers and Processors involved?

One of the biggest changes introduced by the GDPR is the extension of the regulatory jurisdiction. In fact, if any one of the following 3 conditions is met, than the entity must be GDPR compliant:

  • The data controller is based in the EU (regardless of whether the processing takes place in the Union or not);
  • The data processor operating is based in the EU (regardless of whether the processing takes place in the Union or not);
  • The data subject is based in the European Union.

In other words, if you or any link of the chain is or passes through the European Union, than it is required GDPR compliance (sponsors, CROs, patients participating in the trials are all involved).

Why is Consent the Key of GDPR?

As stated on, there has been a great increase in the conditions for consent in order to prevent companies to use “long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form” including the purpose for data processing attached to that consent.

Consent is only valid when actively given, this means no pre-ticked checkboxes are accepted. The subject must be also able to withdraw the consent at any time.

How Does GDPR Empowers EU citizens?

As stated in the previous paragraphs, the Regulation introduces a brand new set of rights for the data subjects to enhance information management. These include:

  • Access & modification: Subjects must be able to access their data and modify it.
  • Right to erasure: Subjects can request the cancellation of their data when it is no longer necessary for their original purpose.
  • Portability: subjects must be able to request and have from the controllers all personal data they obtained, in a portable format.

What Do You Risk If you are not GDPR Compliant?

The GDPR penalty section is extremely clear, the paragraph 6 of Article 83 states: Non-compliance […] shall, […], be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover […], whichever is higher”. This represents the maximum fine that can be imposed and it applies to the most serious infringements: lack of sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Concerning compliance, a few words must be spent on the controversial breach notification: GDPR requires companies to communicate to the Data Protection Supervisor if a breach has occurred within 72 hours from the event, which, as stated by Richard Stiennon on Forbes, means that you have 3 days to:

  1. Determine what happened.
  2. Put in controls to stop it from happening again.
  3. Figure out how to communicate it.

Of course, the path to compliance is no easy duty, a comprehensive plan involving many different departments must be put in place in order to ensure an efficient deployment before May 25th. Life Sciences companies, be they pharmaceutical companies, biotech, CROs or Research centers must include in their strategy all the possible means to prevent personal data from being used in the wrong way, especially if concerning their patients’ identity.

Sources & Further Info

Does your Clinical Technology Provider Have ISO 27001 Certification?

Does Your Clinical Technology Provider Have ISO 27001 Certification?

Read more

Page 1 of 212

Follow us on Twitter