ICH GCP Goes Risk Based

Oct 20, 2015

GCP Addendum Review and Embracement Plan

The new upcoming GCP E6 (R2) addendum has the potential to reform clinical monitoring and clinical trial management. What changes does it bring to all of us? What does this mean for a pharmaceutical company, for a Contract Research Organization (CRO) and for an investigator in terms of changes to the processes of trial oversight, data collection and reporting and trial design and planning? In this article, you will find a structured summary and critical review of the new addendum, and as well as ideas on how to prepare for these regulatory changes.

“When the facts change, I change my mind,” Winston Churchill once said. When regulations change, it can change how people think across the entire industry. This article intends to systematize and critically comment on the primary new topics addressed in the ICH GCP addendum (GCPA) E6 (R2).

The revision of the International Conference on Harmonization (ICH) Good Clinical Practice (GCP) guideline, and specifically its addendum E6 (R2), will presumably take effect in 2016. Industry experts already refer to it as an important milestone in driving adoption of Quality-by-Design and Quality Risk Management principles and methodologies in clinical development. The ICH Expert Working Group has decided to update the guideline, which has remained unchanged for 19 years. Since the last revision of the guideline, the environment in clinical trials has fundamentally changed. A few technological changes that were unknown or in their infancy when the E6 Guidelines were issued include: the Internet, smart phones, electronic data capture, real time review of clinical data, drug development as a truly global enterprise, etc. Technology progress is, however, counterbalanced by growing complexity and costs of clinical trials, creating pressure on sponsors – academic and commercial – whilst ethical and quality standards have become stricter. The regulatory environment for conducting clinical trials has not become any easier since the initial rollout of ICH GCP. Moreover, drug development is a global endeavor, requiring progressively greater division of tasks across multiple functional teams, organizations and locations. On the positive side for sponsors, evolving technology offers new opportunities. The new GCPA takes this evolution of technology into consideration and encourages sponsors to pursue innovative approaches for conducting clinical trials. Quality-by-design and risk-based quality management are now recommended as approaches of choice to sponsors of clinical trials. Additionally, the GCPA defines standards and procedures for the use of IT tools, as well as for the management of electronic records and essential documents.

The new regulatory document adds new concepts to the existing current ICH GCP guideline. The addendum states the need for many well-established processes in order to align the GCP with reality (e.g., validation of computerized systems or centralized monitoring), in addition to adjusting and modernizing well-known processes and procedures such as clinical trial oversight. Despite the wide range of topics, the goal of the new addendum remains concise:

“To encourage implementation of improved and more efficient approaches to clinical trial design, conduct, oversight, recording and reporting while continuing to ensure human subject protection and data integrity.”1

Let us start our review with the sponsors’ responsibilities. Three main roles and responsibilities have been identified:

  • Risk-based quality management

  • Risk-based monitoring

  • CRO oversight

Quality Management

The topic that was expanded upon the most in the GCPA document was quality management. GCPA fully embraces the quality-by-design and risk-based approaches. Quality Management (QM) hinges on the quality-by-design concept, which infers that the quality of a clinical trial must be ensured through careful and fact-driven planning. Efficient and effective trial designs must be supported by tools and processes that leverage past experience, real-life data, and so on, in order to eliminate from study protocols requirements (e.g., inclusion and exclusion criteria) and study procedures that are not realistic and would become the root cause of poor protocol compliance by investigators, in addition to eliminating avoidable protocol amendments.

In the new GCPA, it is stated for the first time in the context of ICH GCP that QM is expected to be risk-based. The risk-based approach should be applied to QC/monitoring, as well as to QA/auditing tasks. The concept of risk identification and prioritization is the “logical thread” throughout the GCPA document to make clinical trial activities more focused on important clinical risks. The risk-based approach is based on the following criteria:

  1. Critical process and data identification

  2. Risk identification

  3. Risk evaluation

  4. Risk control (mitigation actions)

  5. Risk communication

  6. Periodical risk review

  7. Risk reporting

The analytic part of risk evaluation occurs with the help of the three main risk properties:

  1. Likelihood that a risk or failure mode materializes

  2. Impact on subject’s safety, rights and data integrity and reliability

  3. Detectability – extent to which such threats or errors are detectable

Critical Comment: The steps of risk control listed in GCPA are known from ISO 31000 (Risk Management) and now have been adapted to clinical trials. However, in the GCPA, reference is made to “Critical process and data identification,” which underlines the importance of clinical data as the main output of a clinical trial but does not match the “Risk Category Assessment” of the ISO norm. The motives of the ICH expert group for avoiding the risk categorization step are not clear.

The GCPA is now incorporating terminology already used in the old ICH Quality Risk Management (Q9) guidance. According to the GCPA, quality management now includes:

  1. “Efficient design” of a trial, and thus delivering a strong message that many clinical trials are overcomplicating its design and reducing its efficiency. These problems are also mentioned in various publications (e.g. Ken Getz et al.5 and Piantadosi4).

  2. Regarding data collection tools and processes, implicitly, it is advised to move away from paper-based CRFs and consistently use Electronic Data Capturing (EDC) systems for data collection.

The call in the GCPA for capturing data electronically stems from the need to use trial information in real time to make informed decisions.

Critical Comment: The GCPA introduces the concept of traceability of decision-making. Collection of information is critical, but it is as important to describe and document who is defining what information is to be collected for making a decision, what level of accuracy needs to be reached, and how decisions are based on facts – a decision matrix rather than an individual or team’s subjective judgment. Along these lines, sponsors have to decide what minimum information is required to make an informed decision and how decisions will be reached on the basis of objective and verifiable facts and criteria. In addition, key decisions depend on the levels of risk that a sponsor is willing to tolerate. Risk levels should again be based on objective and verifiable criteria and not on “opinions”. Such limits will determine how and when alerts or risk communication must be triggered.

Remarkably, the GCPA states the need to utilize lessons learned to optimize quality management in clinical studies by means of a risk review. This is not a new process but it has been mentioned for the first time in a regulatory document related to clinical trials. Drug developers must be aware that the risk-based approach cannot follow the pattern “get it done and forget”. It rather requires continuous improvement of each quality management process at the sponsor’s organizational level, as well as that of a clinical trial.

Data integrity is identified as a cornerstone of GCP and this concept is prominently discussed in the Monitoring and Data Handling sub-sections of the Quality Management chapter. GCPA emphasizes that whenever there is a change in the design, operations or set-up of a clinical trial or in a supporting process or system, data integrity aspects must be carefully assessed and possible risks minimized.

The GCPA also identifies the role of training and SOPs as key elements of any QM system. Therefore, the on- boarding of a team and the training on a system and process are defined as requirements:

 “SOPs should cover system setup, installation and use, system validation and functionality, security, change control, data backup, recovery, contingency planning and decommissioning.”1


The part of clinical research process that will need to be significantly adjusted is monitoring. In the GCPA, the nature of monitoring is defined more clearly:

“The sponsor should develop a systematic, prioritized, risk-based approach to monitoring clinical trials. (…) A combination of onsite and centralized monitoring activities may be appropriate. The sponsor should document the rationale for the chosen monitoring strategy.”1

GCPA sets the standards defined in the FDA and EMA guidance concerning RbM and risk management.2,3

Critical Comment: It is not surprising that the authors of GCPA have chosen a rather vague way to describe the combination of onsite and centralized monitoring activities. They state that such a combination “may be appropriate” without giving more detail or guidance related to what extent this combination is right and if this combination is needed at all. Indeed, a risk-based approach cannot be served by a “one size fits all” approach and regulators’ acknowledgement is welcomed regarding the sponsor’s responsibility to determine the optimal approach to study oversight and not mandate any given strategy.

Taking into account that the rationale of the chosen monitoring strategy should be documented, the ICH assumes that every sponsor would know the advantages of this or the other monitoring strategy and will be able to choose the right levels of application of these strategies. This is not always the case. In this sense, the FDA Guidance for Industry Oversight of Clinical Investigations3 describes in more detail what techniques relative to the verification of informed consent, site records, and source data require a higher or lower extent of onsite and centralized monitoring. The implementation of risk-based monitoring (RBM), with the consequent adjustment or reduction of onsite monitoring visits and source data verification (SDV), can only succeed after establishing an appropriate risk-based QM system. The monitoring management team should know and understand the rationale for use of the chosen monitoring method. The monitoring strategy cannot be risk-based if risk management does not exist. The authors of the GCPA included a stern warning: regulators will not accept onsite monitoring reduction under the pretext of RBM without demonstrating on how oversight is exercised. A common pitfall relative to this is an RBM approach that is neither holistic nor data driven.6

Centralized monitoring

As a part of RBM, centralized monitoring is defined as "the remote evaluation of ongoing and/or cumulative data collected from trial sites, in a timely manner."1

Here, it is important to keep in mind that the outcome of any verification through centralized monitoring processes and tools should be reported and documented as to its nature and impact – together with any corrective and/or preventive actions taken – like any other monitoring activity. What does this mean for a sponsor? Mostly, it means that the findings, decisions, and actions resulting from any centralized monitoring process should be captured, audited and archived throughout a trial. In addition, because of its systematized and repetitive nature, assessments of centralized monitoring reports and actions taken on the basis of these should be based on objective decision-making criteria and not left to the discretion of an individual.

Critical Comment: If the decision is left to an individual – as competent as the person may be – the risk is that the same observation or “signal” is considered to be acceptable in one case but not in other cases. When this happens, centralized monitoring approaches do not lead to better oversight but add a quality and compliance risk because decisions are made in a haphazard manner.

As the main tools for centralized monitoring, ICH experts advise routine review and statistical analyses. Routine review infers identification of missing data, inconsistent data, data outliers or unexpected lack of variability and protocol deviations. Such detection allows for identifying significant errors during data collection, such as data manipulation or integrity problems, or inconsistent data collection practices, such as rounding-up/down of values.

The application of statistical methods for identification of data trends, such as the range and consistency of data within and across sites, has undergone significant progress in recent times. There are companies offering RBM platforms for such analyses. According to GCPA, two main objectives could be achieved with this approach:

  • Analyzing site characteristics and performance metrics

  • Selection of sites and/or processes for targeted onsite monitoring

It is not a surprise that with regard to such approaches, GCPA is aligned with the FDA’s guidance,2 which refers to targeted monitoring as a strategy of RBM.

A monitoring process, in general, and a monitoring plan, in particular, should be “tailored to the specific human subject protection” priorities, guarantee data integrity, and include actions preventing risks to patients and data integrity that might materialize in a clinical trial. Monitoring plans and reports are interrelated. A report should contain sufficient detail to allow for verification and documentation thereof, so that all measures of verification and actions laid down in the monitoring plan have been complied with.

Since all monitoring activities should be traceable and documented, the adjustment of monitoring reports to a risk-based approach might not be simple. Apart from the systematized recording of monitoring activities, the automatization of reporting procedures and related communication systems, including issue escalation, must not be overlooked. Prioritization of data to be included in monitoring reports must be aligned with the criticality of the monitored processes and data.

CRO Oversight

Concerning Contract Research Organization (CRO) oversight, GCPA is very concise, only defining it as a sponsor responsibility.

“The sponsor should ensure oversight of any trial-related duties and functions carried out on its behalf.”1

Critical Comment: Rightly, GCPA does not mandate how oversight of third parties must be exercised; however, more detail about minimum elements and actions of oversight would also be useful from a public perception perspective. Recently, the media have given the impression that sponsors walk away from their responsibilities by transferring clinical trial tasks to CROs, and more clarity about minimum oversight responsibilities could help to correct such perceptions. For instance, clarification about the following aspects would be welcome:

  • Are regular self-reports by the CRO enough or should there be a deeper look into the CRO’s trial activities?

  • How should one act when a CRO does not fully disclose the nature of a process or the root cause of data deficiencies?

  • How can an objective assessment of the work delivered by the CRO be established?

  • What key performance metrics should be used?

  • How do the sponsor and CROs’ QMS interact and how are the interfaces managed?

Without any guidance or setting of minimum standards, there is a risk that different sponsors come to different conclusions, and as a result, apply different criteria. This may lead to a misconception of the sponsor’s responsibilities. The sponsor must set the rules for the sponsor–CRO interface based on clear definitions of roles, duties and procedures, including monitoring, to be followed by both organizations. Duplicated oversight efforts come at a price, so that the most efficient CRO oversight strategy must be carefully chosen based on objective criteria, such as previous CRO cooperation, e.g., the CRO’s experience with the sponsor’s procedures, systems, specific therapeutic area, quality of the CRO SOPs, etc.

Other significant additions

Other meaningful additions that appear in the GCPA cover computerized systems, electronic media, records, resources, non-compliance and validation of computerized systems. In the context of computerized systems, GCPA refers to validation process:

“Validation should ensure accuracy, reliability and consistent intended performance, from design until decommissioning of the system or transition to a new system.“1

In the data recording section, GCPA states that the “source document should be maintained and changes should be traceable.” GCPA states that trial data systems must ensure data integrity, particularly with changes and software updates. They are supposed to be guided with special training and, very importantly, be supported with SOPs, covering system setup, installation and use.

Investigator responsibilities are described in more detail, particularly the following duties:

  1. Delegation of tasks – This requires the investigator to supervise those team members to whom she/he delegates study tasks and to ensure that the team members are qualified to fulfill the assigned tasks.

  • Source documents and trial records – Source data should follow minimum quality criteria defined in the GCPA as: attributable, legible, contemporaneous, original, accurate, and complete.

  1. Essential documents – Investigator should maintain a record of the location of essential documents.

If non-compliance occurs, the sponsor must follow the following procedure:

  • Conduct a root cause analysis

  • Initiate and execute appropriate corrective and preventive actions

  • Inform regulators, where warranted by local regulations

The GCPA requests a formal corrective action preventive action (CAPA) process for ensuring clinical trial management improvement following a case of non-compliance. Thus, quality management is boosted by quality-by-design and adaptive risk-based approaches, together with continuous improvement of the overall QM processes.

How to embrace GCPA?

What actions should a sponsor or CRO plan now in order to efficiently embrace the GCPA?

  1. Plan the change to a risk-based quality management approach for the QA and QC functions

  2. Plan and train the monitoring and project management teams in RbM methodologies

  3. Where needed, adjust the enterprise standard operating procedures (SOPs) on clinical trial monitoring, CRO oversight, data management, etc. to the QbD, RbM approach and to a risk-based quality management system

  4. Embrace a centralized monitoring strategy and methodology and define how and when it is supplemented with onsite monitoring activities

  5. Establish a reporting mechanism supporting a centralized monitoring approach

  6. Review current formats of monitoring reports and align them with risk-based monitoring plans and approaches

  7. Ensure that all computerized systems involved in clinical trial activities are properly validated and kept in a validated state, as well as maintain adequate documentation on the validation status of any GxP relevant system

  8. Consider risk mitigation activities in trial budget calculation

  9. Establish a systematized system for analyzing critical data and risks for upcoming clinical trials

  10. Whenever tasks are delegated to a third party, establish a CRO oversight strategy for any GxP-related duties and functions carried out on the sponsor’s behalf

  11. Ensure that parties involved in the clinical trial process obtain and maintain the required qualifications and adequate resources

Summary and key take-aways

  • Summing up, the new GCPA addresses the main points of clinical trial complexity and inefficiency: clinical trial oversight, conduct, trial design and data integrity. The change was driven by new trends in the pharmaceutical industry and academia, which should enable sponsors and CROs to conduct trials more efficiently by utilizing new and better technological solutions. All of this must drive cost reductions and help deal with complexity, while improving patient safety, rights and integrity, in addition to data reliability.

  • Monitoring and quality management are now to become truly risk-based. This will demand a cultural shift in many QA and monitoring teams. Obviously additional educational efforts will be required. The way that risks are identified, evaluated and mitigated commands a change in the mindset of those who have applied GCP for a very long time already.

  • For management, there is a new challenge of finding transparent and robust ways to plan a budget for clinical trials, applying a risk-based approach. With the current clinical trial oversight model, budgeting was easier because a fixed number of site monitoring visits was to be performed. With the RbM approach, the number of onsite activities is less predictable, as it may decrease or increase based on the risks identified during the trial.

In summary, the GCPA sets a more modern quality standard for clinical study processes, has the potential to simplify clinical monitoring by embracing an adaptive risk-based approach, and stresses the importance of patient safety, integrity and rights, in addition to data integrity. However, to successfully implement these changes, a change in everybody’s mindset with regard to quality and compliance is needed in order to adopt a more holistic approach to drug development and clinical trials in general and, thus, finally achieving cost savings by means of better planning. The risk-based approach starts with the mitigation of risks and avoidable complexity that already exist in trial design.

Artem Andrianov, PhD MBA, is CEO Cyntegrity Germany GmbH; Beat Widler, PhD, is Partner with WSQMS; and María Proupín-Pérez, PhD is Project Leader with PPH plus.


1. ICH, “Integrated addendum to ICH E6(R1): Guideline for Good Clinical Practice E6(R2).” 11-Jun-2015.

2. EMA, “Reflection paper on risk-based quality management in clinical trials,” 18-Nov-2013. [Online]. Available: http://www.ema.europa.eu/docs/en_GB/document_library/Scientific_guideline/2011/08/WC500110059.pdf.

3. FDA, “Guidance for Industry Oversight of Clinical Investigations — A Risk-Based Approach to Monitoring,” Aug-2013. [Online]. Available: http://www.fda.gov/downloads/Drugs/.../Guidances/UCM269919.pdf. [Accessed: 15-Aug-2014].

4. S. Piantadosi, Clinical Trials: A Methodologic Perspective. John Wiley & Sons, 2013.

5. K. A. Getz, S. Stergiopoulos, M. Marlborough, J. Whitehill, M. Curran, and K. I. Kaitin, “Quantifying the magnitude and cost of collecting extraneous protocol data,” Am J Ther, vol. 22, no. 2, pp. 117–124, Apr. 2015.

6. Artem Andrianov, PhD, “Can RbM Influence the Data Quality and Patient Safety Inversely?,” Applied Clinical Trials, 31-Mar-2015.

lorem ipsum