Designing the Reconciliation System—What to Match, How Often, and With Which Evidence

Define the reconciliation inventory. Start with data elements that drive regulatory duty or interpretation: subject/site IDs; AE/SAE status; onset/stop (date and time for expedited cases); seriousness criterion; severity grade (if collected); site and sponsor relatedness; expectedness with RSI/label version/date; outcome; action taken; MedDRA PT/LLT version; and, for devices, malfunction taxonomy, model/serial, firmware/software, alarm text, and returned-unit disposition. Add link fields—EDC AE form identifiers and safety case IDs—so cross-system navigation is instantaneous.

Keys that prevent drift. Use deterministic keys (Study + Site + Subject + Onset Date/Time + PT) and a tolerant “fuzzy” layer (levenshtein between PTs and close onset times) to propose matches. Store a stable link ID once verified so the same event is never reconciled twice. When an event splits/merges during clinical maturation (e.g., symptom clusters become a diagnosis), record the lineage in both systems with “superseded by” references.

Cadence and triggers. Schedule three layers: (1) continuous (daily/weekly) for expedited/SAE fields; (2) periodic (monthly/quarterly) for all AEs; and (3) event-driven for data locks, DSUR/PSUR/DHPC cutoffs, IDMC meetings, and database migration. Establish a “freeze window” before interim analyses during which only documented critical corrections are allowed.

Data transfer specifications (DTS) and validation. Publish a DTS that maps every field, data type, and controlled vocabulary between EDC and safety. Version the DTS; validate the ETL; and keep unit tests for typical defects (off-by-one date, time zone loss, character encoding in non-ASCII names, mixed-case IDs). Store test evidence in the TMF and make it clickable from the reconciliation SOP.

Differentiated by modality. For drugs/biologics, ensure expectedness maps to the RSI/label version in force at onset; for devices, map to risk analysis/IFU and capture recurrence-risk assessment. For DCT/hybrid workflows, add ePRO/eCOA timestamps, tele-visit identity verification markers, courier/home-nurse logs for onset plausibility, and app telemetry for connected devices. Align local time and UTC to eliminate time-drift ambiguity.

Evidence model. Every discrepancy must be resolvable to evidence: the signed AE page, physician note, discharge summary, lab trend or ECG PDF, device logs/bench tests, and the ICSR packet. Build “one-click chains”: listing → case link → narrative → attachments → submission proof. If your team cannot produce the chain in five minutes during a mock drill, fix filing and metadata before inspection.

Change control and version hygiene. MedDRA and RSI versions change; so do device IFUs. Lock the dictionary and reference version per case at awareness, then define rules for aggregate re-tabulation without overwriting history. When versions shift, publish a “what changed and why” memo and push a micro-refresher to sites and coders.

Privacy and minimum necessary data. Reconcile IDs using study keys; avoid moving personally identifiable data across systems unless absolutely necessary. Where local rules limit full dates, use relative dating (e.g., “Day +3 after Dose 2”) consistently across EDC and safety to preserve medical meaning.

Execution—Listings, Workflows, Queries, and the Path From Discrepancy to Closure

Core operational flow. (1) Generate listings (SAE, expedited candidates, all AEs) with side-by-side EDC vs safety fields and a traffic-light status. (2) Auto-propose matches using deterministic keys, then surface fuzzy candidates for human review. (3) Classify discrepancies: identity (wrong subject/site), term (PT/diagnosis vs symptom), timing (onset/stop), seriousness/relatedness/expectedness, outcome/action, dictionary/version, device metadata, or attachments/proof. (4) Assign an owner and due date; (5) issue a targeted query to the site or escalate internally; (6) document the correction or justification; (7) close with an audit-trailed note referencing evidence.

Discrepancy taxonomy with examples.

• Timing: EDC onset 2025-03-05 08:00; safety onset 2025-03-05 (no time). Resolution: add 08:00 to safety (source: ED triage note), update narrative, retain immutable awareness time for expedited clock.
• Seriousness: EDC “hospitalization” checked; safety “non-serious.” Resolution: attach admission/discharge summary; update safety seriousness to SAE and evaluate expedited duty.
• Relatedness: site “not related” vs sponsor “possible.” Resolution: retain both; narrative explains rationale; expedited path follows conservative plausible assessment.
• Expectedness: EDC blank; safety cites RSI 13.0. Resolution: add RSI version/date to EDC or ensure mapping table populates listing for transparency.
• Device metadata: model/firmware missing in EDC; present in safety. Resolution: update EDC device subform; reconcile returned-unit ID and engineering disposition.

Query discipline. Targeted questions beat fishing expeditions. Ask only for decision-critical items: confirmation of onset clock time; seriousness criterion; missing discharge summary; ECG method/rate for QTc; MRI timing near an implant malfunction; or identity verification for tele-reported events. Provide examples of acceptable documents and due dates; explain why the data matter.

Safeguarding the blind. Keep reconciliation teams blinded by default. Where allocation is necessary (e.g., drug code influences expectedness), an unblinded safety unit retrieves only the minimum needed, records access, and shields blinded staff from treatment details. Narratives visible to blinded teams should read “unblinding performed for safety per SOP” without revealing codes.

Interfaces and automation—with guardrails. Configure the safety system to (a) flag expedited candidates when seriousness + relatedness + unexpectedness criteria are met; (b) pull structured EDC fields for comparison; (c) block lock if narrative lacks the PT string or expectedness version/date; and (d) prevent duplicate ICSR IDs. Automation accelerates work; humans decide.

Reconciliation with source. Source data verification (SDV) for safety is targeted: pull source documents when a discrepancy affects expedited duty, endpoint integrity, or signals. Keep a sampling plan (e.g., all expedited cases; 20% of non-expedited SAEs; focused pulls for high-risk sites). Cite source explicitly in the closing note (“onset reconciled to ED triage note dated…”). Avoid uploading entire charts; store minimal necessary pages that prove the point.

Metrics that change behavior. Dashboards should display: awareness-to-validity time; percentage of events with complete deterministic keys; listing aging; discrepancy closure time; narrative-field consistency rate; expedited clock burn-down; duplicate rate; reconciliation gap rate; and five-minute retrieval pass rate. Each number must click through to a case; numbers without artifacts are not inspection-ready.

Training and calibration. Use paired vignettes that differ by a single fact (onset two hours vs two weeks; symptom vs diagnosis; “severe” intensity vs serious outcome). After any RSI/MedDRA/IFU update, run a micro-refresher because expectedness or coding can flip for the same clinical picture as knowledge evolves.

Governance, KRIs/QTLs, Pitfalls, 30–60–90 Plan, and a Ready-to-Use Checklist

Ownership and meaning of approval. Keep decision rights small and named: a Safety Operations Lead (accountable), Safety Physician (medical correctness), Data Management Lead (listings/ETL/keys), Device Engineer where applicable, and Quality (ALCOA++/traceability). Each signature should state its meaning—“medical accuracy verified,” “mapping/keys validated,” “engineering disposition reviewed,” “ALCOA++ check passed.” Signatures that explain what was approved are easier to defend than signatures that merely exist.

Key Risk Indicators (KRIs) and Quality Tolerance Limits (QTLs). Watch early-warning signals and promote the most consequential to hard limits:

• KRIs: spike in narrative–field mismatches; missing expectedness version/date; ≥1% duplicate AEs across systems; rising listing aging; time-zone drift; device cases lacking model/firmware; repeated “unknown seriousness” at intake.
• QTLs: ≥10% narrative–field inconsistency at lock; ≥5% expedited cases missing proof of submission; ≥3 portal rejections in a week; ≥72-hour delay for preliminary engineering disposition on malfunction cases with serious recurrence risk; five-minute retrieval pass rate <95%.

Common pitfalls—and durable fixes.

• One event, two truths. Diagnosis in safety; symptoms in EDC. Fix with lineage rules (symptoms → diagnosis) and “superseded by” references in both systems.
• Clock ambiguity. Date without time in one system. Fix with mandatory clock time for expedited/SAE and conservative internal buffers.
• Version drift. MedDRA or RSI changes mid-study. Fix with case-level locks, controlled re-tabulation for aggregates, and “what changed and why” notes.
• Device metadata gaps. Model/firmware missing in EDC. Fix with device subform and validation; reconcile to safety and complaint/engineering systems.
• Over-querying sites. Fix with a targeted query catalog tied to discrepancy taxonomy; ask only for decision-critical data.

30–60–90-day implementation plan. Days 1–30: publish DTS and reconciliation SOP; define keys and discrepancy taxonomy; wire dashboards to artifacts; set target cadences; build query catalog; define signature blocks with meaning of approval. Days 31–60: validate ETL and run pilot listings in two countries; tune fuzzy matching; execute weekend drills; start monthly five-minute retrieval tests; run a micro-refresher on RSI/MedDRA/IFU versioning. Days 61–90: scale globally; enforce QTLs; integrate device returned-unit tracking; institute weekly reconciliation huddles; convert recurrent issues into design fixes (template fields, validation rules), not just reminders.

Ready-to-use reconciliation checklist (paste into your SOP or study safety plan).

• Deterministic keys defined and implemented (Study/Site/Subject/Onset Date–Time/PT) with fuzzy matching and stable link IDs.
• Listings active for SAEs/expedited (continuous), all AEs (periodic), and event-driven cutoffs (locks, DSUR/PSUR/IDMC).
• Side-by-side comparison includes IDs, term/PT, onset/stop date–time, seriousness, severity, relatedness (site/sponsor), expectedness with RSI/label version/date, outcome, action taken, dictionary/version, and device metadata.
• Discrepancy taxonomy applied; targeted queries issued with due dates and “why this matters”; closures reference specific evidence.
• Narrative/field consistency check enforced before lock; narratives contain PT string; attachments cited; proof of submission linked for expedited cases.
• Firewalls protect the blind; minimal-disclosure unblinding path recorded with access logs.
• Source verification plan defined (expedited/all SAEs/high-risk sites), with minimal necessary pages stored and cited.
• DTS version-controlled; ETL validated; unit tests for time zones, encoding, and ID case-sensitivity passed and filed.
• Dictionary/RSI/IFU version locks at case level; aggregate re-tabulation rules defined; “what changed and why” memos filed after updates.
• Dashboards wired to artifacts; KRIs/QTLs monitored; five-minute retrieval drill passed monthly; CAPA favors design changes.

Bottom line. Reconciliation is a small, disciplined system—clear keys and mappings, a cadence of listings, targeted queries, version hygiene, and artifacts you can retrieve in minutes. Build it once and you will move faster, meet expedited timelines, and defend your safety narrative across drugs, biologics, devices, and decentralized workflows.