Human Research Protections and Good Clinical Practice: The Relationship Among GCP, the Auditing Process, and Institutional Review Boards | IVT

Courtesy of Getty Images
Human Research Protections and Good Clinical Practice: The Relationship Among GCP, the Auditing Process, and Institutional Review Boards

A cursory review of recent issues of the Journal of GXP Compliance reveals a heavy emphasis on Good Manufacturing Practice (GMP), Good laboratory Practice (GLP), and technology. This article is intended to be a contribution to the readership’s appreciation for Good Clinical Practice (GCP) – a primer for industry professionals. It is to provide information on the topic of human research protections, since it is a shared responsibility for all individuals involved with research, but particularly clinical research professionals.

At base, our focus is the relationship among GCP, the auditing process, and Institutional Review Boards (IRBs).1 In addition, we will also consider an emerging aspect of GCP: Human Research Protections Programs (HRPPs).2 This is a term being employed by agencies, such as the Office for Human Research Protections (OHRP), the U.S. Department of Health and Human Services (HHS), the Food and Drug Administration (FDA) Office of Good Clinical Practice (OGCP), and the Institutes of Medicine. The importance of HR PPs can be summarized simply: subject protection is too important to be left to IRBs alone. The notion is that those participating in clinical research (sponsors, Contract Research Organizations (CROs), sites, IRBs, and institutions, such as academic medical centers and community health organizations – even to include the potential subject) share a basic responsibility: that of protecting the rights and welfare of individuals volunteering to participate in clinical trials.

This is a more formalized vision of the relationship among compliance (including auditing), GCP, and the cultures within which clinical research processes are carried out.

Supporting the HR PP approach is the Federal-Wide Assurance (FWA) for institutions engaged in U.S. federally-sponsored research activities.

A final introductory point: the HR PP approach, in its broadest sense, is intended to address both accountability (compliance) and assurance – the accountability of all individuals involved in clinical research (not only the researchers), and the assurance of all entities involved in clinical research (spanning administrative, legal, and regulatory compliance, biosafety, pharmacy, nursing, quality and risk management, among others). As such, the HR PP approach attempts to shift the focus from a “culture of compliance” to a “culture of conscience.” The implications are important. A culture of compliance is regulation-driven; one of conscience is driven by professional responsibility-taking and responsibility-sharing. Implementation is no easy matter. It is systemic and on-going.

Good Clinical Practice

At base, GCP, of course, is a primary tool used for auditing. GCP is codified in federal regulations; but are further explicated in federal guidance, current interpretation of the regulations, and standard practice.

What is often less appreciated is that GCP is the only such regulatory practice actually founded in ethical codes, such as the Nuremberg Code, Declaration of Helsinki, and the Belmont Report – specifically those principles articulated in the Belmont Report: respect for persons, beneficence, and justice.

Indeed, GCP is so indebted to ethics that the majority of them focus on human subject protection, directly and indirectly; as are GCP of daily patient care.


The competent auditor is not only familiar with the basic regulations, but also the guidance that assists all those in the clinical research enterprise to decipher the intent of the regulations. In addition, the competent auditor appreciates the range of applicability the regulations (and guidance) are intended to cover, while operating within the letter of them.

Over the past three years, in particular, more sponsors and CROs are auditing, or contemplating auditing, the IRBs with which they interact. In part, this is due to heightened public attention to clinical research – the tragedies of deaths of subjects in trials, as well as the federal authorities’ shutdowns of prestigious academic, medical, and large community healthcare centers (several dozen at this point in time).

Sponsors and CROs are quite familiar with auditing sites, and the prospect of “rescue sites” to replace those that are not in compliance may offer a sense of security to a sponsor or CRO. However, the prospect of a “rescue IRB” does not.

Industry auditing (in particular, sponsor/CRO of IRB and sponsor/CRO/IRB of site) is a Quality Assurance (QA) process, not unlike those of an FDA or OHR P audit. Recently, spokespersons for both federal agencies have been attempting to emphasize the improvement benefits of the government audit.

Our own experience with sponsor/CRO audits suggests the same emphasis: improvement of operating processes. Practically speaking, of course, regulatory agencies, sponsors, and CROs all have tremendous power: to put the audited entity out of business.

Whatever type of audit is being conducted, they share certain realities:

  1. Audits are an operational/administrative prerequisite
  2. Audits are a business, as well as a regulatory necessity; and a human subject protection issue
  3. Audits are a business challenge stretching the limits of resources.

Principles of Quality Assurance/Quality Control (QA/QC), especially those emphasizing “continuous” improvement, suggest that an audit reveals both strengths and weaknesses of operational processes. Traditionally, audits focus on consistency of documentation and “reproduceability” of an event, or series of events via documentation. What is done is a more recent focal point. In no small measure, this is due to the use of technology to replace paper processes, which requires not only a thorough appreciation for the paper processes (and the regulations that led to them), but an understanding of potential “e-solutions” – both their limitations, as well as the changed requirements for implementing them. In part, this has been codified by 21 CFR Part 11, the regulation addressing security measures, among other aspects, of Electronic Clinical Trials (ECTs).

One of our client (sponsor) companies has summarized the importance of audits as business, as well as regulatory necessities. Imagine two overlapping circles. The area of overlap is the shared interest (between business interests and regulatory interests) of both “clean data” and human subject protection.

In a similar vein, bioethicists have stressed that involving human participants in bad science is unethical. That is, for example, if clean data does not result from the trial, subjects involved in the trial have been put at risk, no matter how minimal, with no compensating benefit. As another illustration, if the protocol for the study is poorly designed, there is an unnecessary risk to which participants are subjected.

Ultimately, the goal of GCP reinforced by auditing is clean data. Indeed, the clinical research enterprise as a whole flourishes because of, or is jeopardized by, the degree to which clean data emerges from the trials conducted.

Those who have served as GCP auditors appreciate the challenge they represent. While there are quantitative values to be examined, there are also interpretive and qualitative dimensions to consider, especially since the regulations are founded on ethical principles; and that many of the regulations lend themselves to a variety of interpretations, whether further clarified by guidance or not. Variations on international standards are not to be dismissed out of hand either.

So, regardless of the importance of auditing, and its challenges:

  1. How much auditing can a good site, IRB, sponsor, or CRO withstand?
  2. How much can any one of them perform well?

Representing a firm that is both audited, as well as audits (and is called upon to provide advice on auditing from the HR P perspective), we are well aware of the resource investments auditing requires. Consider the dedication that preparation for the audit and post-audit ‘to dos’ alone demand.

Today, we need to be placing a greater importance on effective auditing in contrast to a ‘pro forma’ approach. Extensive education is necessary for auditors, not only in GCP, but also Good Regulatory Practice (GRP). Failure to appreciate the interactions between site and IRB, for example – the what’s, how’s, when’s, and why’s – compromises the value and integrity of the audit.

As we, as part of the clinical research enterprise and as members of the public, face the challenge of developing and implementing novel therapies rapidly, there is a serious need to consider what policies, practices, and regulations (public, federal, corporate, and institutional) truly contribute to their development, and which are impediments to doing so safely and efficiently.

GCP provides the superstructure, and Standard Operating Procedures (SOPs) provide the infrastructure. This way of thinking has been reinforced by federal government audits that ‘ding’ SOPs, which merely repeat or cite the regulations.


In addition to well-developed SOPs, closer (and clearer) communication interchanges among IRB, study design, regulatory affairs, and auditing professionals is another key mechanism for assuring “quality speed” within the clinical research enterprise – indeed, one that is in keeping with the OHR P modular mutual assurance system itself (see Figure 1). This, in turn, is a mechanism for implementing and revising GCP.

Figure 1

The Office for Human Research Protection's Modular Systems

Perhaps the most elaborate vision of how this all might work is the OHR P system itself.

Fundamentally, this system of mutual assurance features human research protections programs at locations throughout the clinical research enterprise. It also entails communication mechanisms among those HR PP constituents to mutually reinforce what Dr. Greg Koski of OHR P has called the “cultures of conscience and compliance.”

A particular aspect of this system relates to a distinction between accreditation and auditing. Indeed, there is some suggestion that accreditation is a means of supplanting, or, at least, reducing the need for auditing. If the latter, the confounding problems mentioned earlier (how much can a research enterprise entity withstand… or perform) may be addressed, at least in part.

Depending on how the accreditation structure is set-up, particularly who constitutes the surveyors or reviewers (versus auditors) of the accreditation entity, it may also avoid another thorny issue for auditors: to what extent can a group auditing an entity share information with others involved with the same entity? Put concretely: to what extent can, or should, a sponsor share information resulting from its audit of an IRB, for example, with other sponsors or IRBs?

Accreditation is based on standards that have been derived from regulations, guidance, and “best practice.” Formal, independent accrediting entities provide the surveying of those applying voluntarily for accreditation.

While regulations and guidance provide the floor, or minimum, accreditation attempts to codify more than the minimum acceptable activity of the accredited entity…hence the importance of “best practice” and ongoing development and refinement of processes.

This is where the more recent approach to auditing and accreditation ideally overlap: continuous quality improvement as the focus. However, there is a pitfall: the accreditation standards themselves become the floor without necessarily encouraging continuous quality improvement.


For the past five years, human research protection, hence GCP, has become highly visible to the public, from front page news in the Washington Post and USA Today to the cover of Time magazine.

Clearly, the system for supporting and implementing GCP is in need of reengineering. Rulemaking (regulations), guidance, auditing, accreditation, certification, and training all have their place in the retooled approach being encouraged by OHR P and OGCP.

But the fundamental question remains: “How can this, or any system assure ethical review – not just procedural, document, or outcomes reviews?” Indeed, as Dr. Koski has suggested on many public occasions, the culture of conscience needs to prevail over a culture of compliance. A culture of conscience is the value system and behavior of those organizations and professionals behind the expertise, technology, and continuous quality improvement of clinical research. In turn, this translates the knowledge and tools into a system that genuinely does protect the rights and welfare of human subjects.

For our representation, see Figure 2. It is a ‘sandwich’ diagram where what lies between the ‘bread’ of the cultures of compliance and conscience is the ‘meat’ of the mechanisms (the “four A’s”) for both accountability and assurance.

Figure 2

Human Research Protections: Assurance and Accountability

So to return to the fundamental question, critical for truly accomplishing ethical review (as well as procedural, document, and outcomes review) is education and training – within each of the “A” mechanisms. Such thorough knowledge-sharing necessarily includes on-going ethics, as well as QA and regulatory training. This is for two reasons:

  • To accomplish the goal of ethical review, including bringing to the forefront ethical perspectives throughout clinical research activities.
  • Because ethics is the basis of GCP.

Figure 3 depicts this additional dimension: for the system to work effectively and efficiently there must be knowledge-sharing on three levels (macro, meso, and micro). Put differently, bioethics provides the ‘big picture’ knowledge necessary in the clinical research enterprise (at least vis á vis human subject protection), as well as the underpinnings of the other two levels. Appreciation for key issues, such as adverse events, continuing review, privacy and confidentiality supplies the micro, or most detailed level. The middle ground of necessary learning includes the shared standards for evaluating HR PPs (codified in accreditation criteria), as well as the technical and interpersonal communications skills associated with auditing.

Figure 3

Human Research Protections: Areas of Necessary Knowledge-Sharing


This work is heavily indebted to Dr. Greg Koski and his colleagues at OHRP, and their counterparts at FDA, especially Dr. David LePay, head of the Office of Good Clinical Practices. However, it is only an interpretation of what they have presented in various public forums over the last two years.


  1. IRBs are referred to as Institutional Review Boards, whether affiliated with medical institutions or independent (commercial). They are also known, internationally, as ERBs or ERCs (Ethical Review Boards/Committees). In the light of HR PPs, there is discussion of “dropping the I from IRBs,” that is stressing the research review activity, and not the setting for the activity.
  2. HRPPs are also known as Human Research Participants Protections Programs, which, in Figure 1, we have abbreviated HR P3.

Product Added Successfully

This product has been added to your account and you can access it from your dashboard. As a member, you are entitled to a total of 0 products.

Do you want access to more of our products? Upgrade your membership now!

Your Product count is over the limit

Do you want access to more of our products? Upgrade your membership now!

Product added to cart successfully.

You can continue shopping or proceed to checkout.

Comments (0)

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Use to create page breaks.
Enter the characters shown in the image.