The Risk Model: Dimensions, Scoring, Thresholds, and Mappings

Use a small set of dimensions to keep scoring explainable at the site while still precise enough for cross-study consistency. A five-point scale (1=negligible, 5=critical) per dimension works well and keeps math simple.

Core dimensions and anchors

• Participant safety & rights (S): Did the event harm or plausibly increase risk beyond consented levels, compromise privacy/confidentiality, or undermine voluntariness/comprehension? Anchor to WHO ethics themes and to FDA/EMA expectations for consent and safety.
• Endpoint/data integrity (E): Did the event distort or plausibly distort primary/secondary endpoints or key analyses (e.g., timing, instrument validity, blinding, missingness that is not missing at random)? Align with statistical analysis plans.
• Regulatory/GCP duty (C): Did the event breach essential duty (e.g., performing procedures before consent; SAE timeliness; use of unapproved protocol version)? Ground this in ICH principles and regional rules.
• Detectability & correctability (D): Could the problem be detected quickly and corrected without bias (e.g., repeat procedure inside window, obtain missing element before next visit)? Lower scores when fully reversible; higher when irreversible.
• Systemic reach (R): Is it isolated (one person/one subject) or systemic (repeated pattern, multiple subjects/sites, vendor-wide configuration)? Repetition elevates category even if each single instance is modest.

Scoring rubric (1–5 each). Define exemplars in a playbook so teams calibrate decisions. For example: S=5 for dosing beyond allowed range or consent not obtained; E=5 for missed primary endpoint window with no valid imputation; C=5 for 48-hour late initial SAE submission where local rules require immediate/expedited reporting; D=5 for non-correctable, non-detectable errors; R=5 for configuration error affecting many subjects/sites.

From scores to categories

• Lower-risk deviation: Max(S,E,C) ≤ 2 and R ≤ 2 and D ≤ 2. Fully correctable, no plausible impact to safety/rights or endpoint integrity. Document and close with local CAPA if needed.
• Major deviation / protocol violation (policy term): Max(S,E,C) ≥ 3 or R ≥ 3, or D ≥ 3 when the irreversibility introduces bias risk. Requires sponsor/PI review, targeted actions (e.g., reconsent), and may be promptly reportable to IRB/IEC per local rules.
• Serious breach candidate (EU/UK mapping): Max(S,E) ≥ 4 and likely to significantly affect safety/rights or data reliability. Trigger expedited assessment and, if confirmed against country tests, notify regulator/ethics within country timelines.

Thresholds and QTLs. Define study-level quality tolerance limits aligned to endpoints and safety: e.g., “Primary endpoint window misses >2% of randomized subjects” or “SAE timeliness failures >1 per 100 subject-months.” Crossing a QTL auto-triggers a cross-functional review (Clinical, Stats, QA, Safety) and a study-level CAPA. KRIs at site level (e.g., eCOA missingness spikes, imaging repeat rate outside norms) trigger targeted support and retraining.

Special cases that alter scores

• DCT identity/privacy. Failed identity checks in tele-consent or unredacted PHI sharing increases S and C; if repeated across subjects, R rises quickly.
• Device/scale versions. Unvalidated firmware or scale versions increase E (measurement properties may shift) and R when distributed broadly.
• Unblinding. Any accidental unblinding impacting endpoint assessment or randomization concealment is E ≥4; if emergency unblinding is undocumented, C rises as well.
• Eligibility adjudication. Misapplied criteria with dosing performed increases S and E; correctability is often low (D high) if the subject has already received IP.

Mapping table for documentation. In your deviation form, auto-display a two-column mapping: Internal category → IRB/IEC reporting term; Internal “serious breach candidate” → country-specific serious breach test and timer. Include links to concise country notes so teams act without delay.

Evidence expectations. Each record prints signature manifestation (name, date/time with time zone, meaning), shows audit trail entries for edits, and links to supporting source, system screenshots/exports, and correspondence. These controls align to the spirit of Part 11/Annex 11 concepts referenced by FDA/EMA and are expected by PMDA and TGA reviewers.

Operating the Assessment: Fast Triage, Consistent Decisions, and Right-Sized Actions

Speed matters for participant protection and for preserving endpoint validity. Establish service levels and a repeatable triage that any CRA or site can run with the PI—even at 2 a.m.

Triage flow (minutes to days)

1. Capture facts (within 24 hours of awareness): What happened, when did awareness occur, who/what is affected, and which systems were involved (EDC/eCOA/IRT/imaging/safety). Attach photos/screenshots with visible system clock and record IDs.
2. Score against S, E, C, D, R (within 2 business days or earlier if safety/endpoint-imminent): Use the playbook exemplars. The tool proposes a provisional category based on the max and on systemic flags.
3. Decide actions: For S/E ≥3, perform participant protections immediately (reconsent, additional assessments, safety follow-up). For C ≥3, check local reporting obligations. For D ≥3, consult statistics on data salvage options and bias risk. For R ≥3, broaden the search (look for similar events in dashboards).
4. Notify: If criteria match IRB/IEC prompt reporting or serious-breach candidate tests, assemble the notification pack and route. Always record rationale for “notify” or “not notify.”
5. Root cause and CAPA: Separate human slip from design flaw. A firmware push without communication is design/technical; a misunderstood visit window may be training or template. CAPA must include an effectiveness metric—what will improve, by how much, and by when.
6. Close and file: Quality review confirms narrative clarity, links, and signatures; TMF/ISF locations filled. Update dashboards and, if a QTL was tripped, schedule the cross-functional review.

Scenario mini-cases (how the rubric drives consistent calls)

• Missed primary endpoint window by 48 hours; not repeatable: E=4 (primary, timing critical), D=4 (non-correctable), R=1 (isolated). Category: major deviation/protocol violation; consider sensitivity analysis; notify IRB per local rules. If repeated across subjects, R rises and a study-level CAPA is warranted; EU/UK may approach “serious breach” if reliability is significantly affected.
• Tele-consent performed without dual identity check, procedures done: S=4 (rights), C=4 (consent duty), D=3 (correctable only prospectively), R depends on pattern. Actions: reconsent, ethics consult; consider serious-breach candidate in EU/UK; retrain and fix identity workflow.
• SAE submitted 36 hours late; no harm progression: S=3 (risk), C=4 (timeliness duty), R increased if repeated. Actions: notify per local rules; CAPA on clock logic; verify monitoring of tele-reported events; revise micro-learning on clock start.
• Device firmware auto-updated across sites; validity uncertain: E=4, R=5 (systemic), D=3–4 (often not reversible). Actions: statistics and endpoint working group convened; potential data handling change; vendor CAPA; risk communication to sites; consider serious-breach candidate depending on effect size.
• Specimen shipped using outdated kit; stability within limits: S=1–2, E=1–2, D=1 (recoverable), R=2. Category: lower-risk deviation; local fix to labeling/training; no external notification beyond sponsor/PI unless pattern emerges.

Roles and accountability. The PI is accountable for subject-level decisions and documentation; the sponsor (or delegated CRO) is accountable for study-level risk posture and external notifications. QA ensures the rubric is followed and calibrates across regions and vendors. Statistics owns data impact memos and sensitivity analyses. Safety owns SAE timeliness remediation and reconciliation. All sign-offs must be attributable and time-stamped.

Data handling integration. Each major event gets a short statistician-authored note: can the value be repeated, imputed, or excluded; is missingness ignorable; do we need sensitivity analyses? Link this memo to the deviation record and to the Data Handling Plan so auditors see coherence from decision to analysis.

Decentralized specifics. For DCT, add prompts in the tool for identity verification, tele-visit privacy statements, courier chain-of-custody evidence, and device activation logs. These artifacts are part of the impact story and frequently requested in inspections.

Governance, Calibration, Metrics, and Practical Checklists

Impact assessment is only as good as its calibration and follow-through. Treat it as a living system: measure, learn, and tighten thresholds where patterns indicate blind spots.

Calibration and continuous improvement

• Quarterly calibration boards: Review 8–12 anonymized cases from different regions/vendors; re-score S/E/C/D/R; resolve disagreements; update exemplars. Record outcomes to the TMF.
• Playbook maintenance: Versioned examples for consent, SAE timeliness, endpoint timing, device firmware, unblinding, privacy/PHI. Include do/don’t narratives and “what changed” notes after amendments or system releases.
• Vendor alignment: Flow down the rubric and thresholds in quality agreements and SOWs; require exportable records with audit trails and signature manifestation aligned to the spirit of Part 11/Annex 11.

Metrics that prove control (KPIs) and trigger action (KRIs)

• Speed: median hours awareness→intake; intake→risk score; score→notification decision; decision→submission or reconsent.
• Quality: % of major events with complete S/E/C/D/R scoring and rationale; % with linked data handling memo and participant actions; % with monitor verification within two visits.
• Effectiveness: recurrence rate of the same category post-CAPA; time to green on site-level KRIs after intervention.
• QTL watch: proximity of key indicators (endpoint-timing misses, SAE timeliness) to study-level limits; number of QTL triggers and closure time.
• Equity & localization: deviation clusters by language or bandwidth constraints; corrective localization (glossaries, translated micro-modules) deployed and tracked.

Common pitfalls—and resilient fixes

• Label-first, analysis-later: Teams jump to “minor/major” without scoring impact. Fix: require S/E/C/D/R fields before category; tool won’t save otherwise.
• Overweighting detectability: Easy-to-spot issues get all the attention. Fix: dashboards prioritize Max(S,E,C) before aging.
• Inconsistent serious-breach calls: Local teams fear over-reporting or under-reporting. Fix: add a “serious breach candidate” checkbox with country-specific tests and timers; QA co-sign required.
• Weak evidence trail: Screenshots lack context or signatures are missing. Fix: template enforces signature manifestation; attachments must include system name, record ID, and timestamp.
• CAPA without effect: “Retrain” repeated endlessly. Fix: require a measurable target (e.g., reduce endpoint-window misses from 3.2% → <1% in 60 days) and a site-level verification step.

Practical checklists you can deploy this month

• Impact intake checklist: Awareness time captured; S/E/C/D/R scored with exemplars; provisional category auto-filled; mapping table reviewed; sign-offs captured.
• Action checklist: Reconsent decision documented; safety follow-up done; data memo attached; IRB/IEC or regulatory notification packaged (where applicable) with acknowledgments.
• Closure checklist: Root cause identified; CAPA owner/date set; effectiveness metric defined; TMF/ISF locations populated; monitor verification scheduled.
• Readiness drill: Pick a random subject; retrieve consent, eligibility, first dose, the deviation record, data memo, notifications, and CAPA/effectiveness results in < 5 minutes each.

The inspection story. A well-run impact model produces a simple narrative inspectors recognize across agencies: we started with ICH-quality principles; we prioritized participant safety/rights and endpoint integrity; we scored consistently using a documented rubric; we mapped to local reporting (FDA/IRB in the U.S., serious breach where applicable in the EU/UK); we generated ALCOA++ evidence with signature manifestation; and we linked CAPA to measurable improvement. That is the hallmark of a mature quality system welcomed by the FDA, EMA/UK authorities, PMDA, TGA, and consistent with the ethics perspective emphasized by the WHO.