In our latest Team Highlight we’re featuring Heather Armstrong, chatting with her about her path to GCP and GLP QA, what shifts she sees coming with R3, and an industry-related book recommendation.  

What led you into the industry and into your particular specialties? 

I have always been a science geek, wanting to understand the why of our natural world. I fell into clinical research by way of clinical data management. After finishing UCSD with my BS in Biochemistry & Cell Biology, I started working in labs doing immunoassay development. While the work was interesting, I realized that bench work was probably not “it” for me. I signed up for a UCSD Extension program and completed their certificate in Clinical Trials Design and Management and tossed my CV on monster.com (remember that?). A large CRO hired me into an entry-level clinical data manager position. I had no idea what that was on Day 1, but I went with it.  

This was the time of paper case report forms, 3-part NCR forms, 3-part queries printed on printers that jammed every 10 queries, and FedEx’ing those to sites. Reams and reams of paper, including working copies where changes were properly annotated as the database was also updated (ClinTrials and OracleClinical was where the action was at). The concept of an electronic CRF was being floated, and there was resistance because no site would want to enter data at a computer (note: sites didn’t complete the paper CRFs that quickly either). 

After some time in data management at both the CRO and a sponsor, I made a lateral transition to QA, focusing on GCP. I started with site audits (by that time, data was going into eCRFs, but source documents were still all paper), eventually branching into inspection readiness work from the GCP perspective. 

I joined a CRO as GCP QA and was able to grow and got further experience in site audits, along with just about every single type of GCP vendor audit under the sun. I grew my computerized systems auditing acumen during that phase of my career, as all vendors (except one, a tiny IRB that only used paper records) used electronic systems, either as their primary offering (eCRF solutions, IRT solutions, etc.), and/or to support their work (quality systems the vendor uses, learning management systems used by the vendor, etc.). 

Of course, the responsibility for “validation” resides with the end user of the system (not the software developer – there is no such thing as “pre-validated” no matter what the vendor’s business development tells you); however, it is important to assess how software vendors are developing and testing their software, so that the solution can be validated (in a risk-based approach of course) to the standards of 21 CFR Part 11/EU Annex 11by the end user. 

Eventually, I added GLP QA to my repertoire as the opportunity to oversee and audit GLP facilities became part of the scope my role at a small biotech. The GLPs are far more straightforward and legally binding worldwide (FDA has regulations and OECD GLPs are followed by most of the world) than the GCPs (legally binding in the EU/UK and published as guidance in the US). 

What do you see happening in terms of industry trends? 

One shift in the GCP space that I really like is that risk management for GCP has finally arrived, enshrined in GCP ICH R3. My hope is that sponsors fully embrace R3 regardless of region, as early and proactive risk management, and that periodic monitoring of departure to identified quality factors will support robust data integrity and study participant safety and protection. This is important given the number of systems used to capture data, the use of remote technologies and associated integrations, and that sponsors must oversee multiple vendors and data streams.  

One of my favorite things to talk about these days is to help build knowledge of how GCP risk management can be applied in a practical manner and that it does not have to be painful or even overly time consuming (especially started in conjunction with protocol development and in partnership with those same functional areas).  In fact, the protocol may even be better with early risk management discussions happening prior to finalization. 

What do you like to do outside of work? 

I am a book worm, a keeper of fancy yarn (and a knitter too), and a wanna-be photographer.  For an industry-relevant read (and helpful as GCP expects us to govern our data properly), I recommend “Non-Invasive Data Governance” by Robert S. Seiner to help understand what governance of data is, at a high level.