Study Blinding and the TMF

April 1, 2013

  • eTMF Best Practices

Accidental unblinding is a significant concern in clinical trials.  A number of TMF documents may contain information that would unblind the study for a single subject or an entire population.  Some examples are interim analysis documents, protocol deviations, randomization lists, safety reports, and correspondence.

Bringing documents into an eTMF in general means they are available to a larger potential audience than in a paper TMF.  This in turn means that additional, preferable automated security processes need to limit accessibility to any documents that contain unblinding information to those individuals with a true “need to know”.

The challenge is that it’s not a strictly rules-driven process.  Take a simple example – correspondence.  While it’s possible that correspondence may contain unblinding information, most correspondence does not.  Contrast that with a protocol, which never contains such information.

The eTMF system then must have an efficient way of identifying documents that might contain unblinding information and prompting a contributor to decide whether or not it actually does.  It must then apply security rules to limit the document’s audience to the right people.  It’s generally sufficient to security the content but allow the document’s existence – and metadata – to be visible to all.

The situation may grow more complicated when the documents in question originate in another system.  A good example is safety documents such as serious adverse event (SAE) cases.  SAEs often originate in a pharmacovigilance system, and that system generally remains the system of record for the official copy.  However, they are also part of the TMF.  It’s not clear that they need to be replicated to the TMF.  The UK Medicines and Healthcare products Regulatory Agency (MHRA) discusses this topic in the Good Clinical Practice “Grey Guide”:

The documentation does not all necessarily need to be in the same location, but it must be clear where it is held from TMF procedures or indexes as it must6 be readily available both during the trial and during the archiving retention period following the trial. For example, it may be appropriate for an organisation to determine that serious adverse event (SAE) cases will all be retained in the pharmacovigilance department, including the suspected unexpected serious adverse reaction (SUSAR) receipt confirmation, rather than printing it off the pharmacovigilance database and filing in the TMF.

However, sponsors are becoming concerned that although they don’t have to bring these documents into the eTMF to be compliant, the alternative is to allow the auditors direct access to the pharmacovigilance system, which may be neither practical nor desirable.  As a result, they may be planning to bring copies of SAEs and other safety documents into the TMF.  For large companies with many trials, an automated “batch upload” process is really necessary to support this transfer.

Depending on a sponsor’s practices, some or all SAEs may break the blind.  (For an excellent discussion of this topic, see Breaking the Blind in Clinical Trials & Reporting to Health Authorities, Investigators & IRBs/Ethics Committees.)  However, the safety/ pharmacovigilance system may not store metadata about the unblinding status of each SAE.

When the eTMF accepts the batch of safety documents, they could be handled in three possible ways:

  • Treat all as unblinding.  (Not desirable from an accessibility standpoint)
  • Treat none as unblinding.  (Not acceptable from a blind protection standpoint)
  • Send into an indexing process where a trained individual can determine the correct status (best option)


eTMF system owners and managers should ensure that the end-to-end process of handing unblinding documents is defined:

  • Categories of documents which may contain unblinding information must be identified
  • Contributors creating or uploading these documents must be trained to identify them accurately
  • The eTMF must then apply security rules to secure the content from those users who should not see it
  • Batch upload processes should not result in a “back door” where unblended documents are not properly identified and secured