White Paper

An Overview Of The ICH E6 (R2) Guideline

By Steven Begley and Jamie Schimmel

Complying with ICH E6 (R2)

What You Should Know About Risk-Based Evaluation Before Designing The Eclinical System For Your Clinical Program.

“Risk” is the watchword for sponsors working to comply with ICH E6 (R2), the 2016 revisions to the International Council on Harmonisation’s guideline on good clinical practices. At the heart of these changes is the imperative to manage the risks--to patient safety and data integrity--that are posed by eClinical tools and electronic data processes. While the revisions to the guideline mainly impact sponsors, technology providers and contract research organizations need to be aware of the changes and make adjustments to operational procedures, documentation practices, quality approaches and computerized system functionality.

In this three-part series, YPrime presents:

Part 1. An Overview of the ICH E6 (R2) Guideline

Part 2. Risk Mitigation in eClinical Design Requirements: How Systems Impact Patient Safety and Data Integrity

Part 3. A Working Model for eClinical Risk Evaluation: Who Should be at the Table

Part 1. An Overview of the ICH E6 (R2) Guideline

In effect since June 2017, ICH E6 (R2) is the biggest change to the ICH clinical research guideline in more than 20 years. As sponsors rely more and more heavily on electronic systems to manage and report data in large, complex studies, regulators are increasingly concerned about the risks eClinical systems present if the technology is not managed appropriately.

In E6 (R2), regulators define good risk management practices to identify and mitigate such risks during the development and initiation of a clinical program. The revised guideline challenges sponsors to adopt risk-based thinking throughout clinical evaluation. It requires risk-based approaches in centralized monitoring, clinical monitoring and software validation.     

What E6 (R2) Means for eClinical Systems

What this means for sponsors is that clinical programs now must implement risk assessment at both the trial level and the system level. Risks must be identified during study initiation. Metrics must be captured against risks in clinical monitoring, data management and preparation of Clinical Study Reports.

Key provisions require sponsors to:

  • Implement suitable monitoring plans and adequate procedures to protect data integrity.
  • Ensure that source data are attributable, legible, contemporaneous, original, accurate and complete, and that changes are traceable.
  • Use risk assessment in validating electronic data handling and remote data systems; maintain SOPs for data collection; validation and functionality testing; system maintenance and security; change control; backup recovery; and business continuity planning.
  • Implement quality management systems across trial design, conduct, recording and archiving. 

For YPrime, E6 (R2) means helping sponsors adopt methodologies that go beyond operational practices to incorporate more upfront planning and continuous improvement feedback. The guidance’s new risk-based evaluation requirements impact:

  • Vendor governance and oversight.
  • Risk management planning in software design, development and validation.
  • Quality management systems.
  • Risk mitigation programs and reporting strategies.

“While sponsors are ultimately responsible for compliance, the onus is on eClinical providers to help sponsors stay compliant and avoid situations where an eClinical system has been put into place that does not align with protocol requirements.” notes Jamie Schimmel, Vice President, Project Delivery, YPrime.

“If your system does not build in the right requirements or is not programmed correctly, patients can be potentially harmed—the entire clinical trial can fail. For example, a missing equal sign in programming could result in unqualified patients participating in the study—causing protocol violations and possibly safety risk due to inappropriate study drug exposure or procedures, and certainly a risk to the reliability of study results.”

Both drug and biologics makers must qualify vendors through qualification and requalification audits. Qualification aims to ensure that vendors have the requisite system design and domain expertise; robust testing; effectiveness checks; process controls and reporting capabilities.

An FDANews Report provides a thorough overview of requirements in Risk Management in Clinical Trials: The New ICH E6 Focus.[i] The following summary focuses on points essential for quality management systems and system and software validation.

Risk-Based Thinking: Quality Management Systems and Vendor Governance

The steps sponsors and vendors must take to meet the new ICH E6(2) requirements are detailed in “Section 5--Sponsors,” which addresses aspects of risk-based thinking;  the role of quality systems in risk management; and requirements for software and system validation.[ii] 

Simply put, “risk” is whatever might go wrong or has gone wrong in the process of collecting, overseeing, recording and reporting clinical trial data. Level of risk is viewed in terms of potential harm to study subjects and impact on data integrity.

Risk-based quality management systems take a proactive approach to identify potential problems and address them before a trial begins. This systematic approach to mitigating high-risk events aims to assure trial quality and also guides risk review—data that sponsors can use to inform decision-making at the system level.

ICH cites seven key elements of proactive risk-based thinking1

  • Critical process and data identification.
  • Risk identification.
  • Risk evaluation.
  • Risk control.
  • Risk communication.
  • Risk review.
  • Risk reporting.

To create a quality system plan that meets regulatory expectations, sponsors are advised to implement a system to manage quality across all stages of the clinical trial process, with a focus on activities that ensure patient safety and reliability of trial results. Methods should be appropriate to the level of risk—sponsors should avoid investing large resources to manage low-level risk. And sponsors should avoid unnecessary complexity—such as data collection that can’t be reasonably handled by site staff.

ICH E6 (R2) requires that risk management processes be used in all key components of the quality management system, including1:   

  • Document control and format.
  • Internal audit program.
  • Vendor audit/qualification program.
  • Deviation reporting.
  • Corrective and preventive action (CAPA).
  • Change control.
  • Complaint management.
  • Management review.

Complying with Software and System Validation

YPrime is helping sponsors adopt these global standards and stay compliant, notes Steven Begley, YPrime Chief Privacy Officer and Senior Vice President, Quality and Compliance.

“We’ve built a Quality Management System that incorporates risk assessment at the beginning of the specification stage by indicating risk for each function used, based on how significant the change is from the validated base platform,” Begley says.

“There is also identification of whether there is impact to patient safety and/or data integrity for each function, and subsequently, identification of the level of testing that must be employed based on this outlined risk. A comprehensive risk analysis such as this makes initial evaluation and subsequent change assessment more streamlined and transparent to all parties.”

To comply with ICH E6 (R2), sponsors must incorporate risk assessment into software and system validation. Since it is not reasonable to test every possible combination of functions in a data processing system, suitable testing approaches are determined based on the potential risk introduced by the function or feature.

According to the guideline:

The approach to validation should be based on a risk assessment that takes into consideration the intended use of the system and the potential of the system to affect human subject protection and reliability of trial results.”2

A risk-based validation approach should begin early on in your clinical program and must be maintained until the system is decommissioned or replaced. Responsibilities of the sponsor and other stakeholders using eClinical tools—including remote data handling systems—must be clear, and training on system use must be provided and documented. The guideline recommends having a formalized risk-based system linked to a documented risk assessment to guide the required methodology and resources.

Risk assessment requirements.

E6 (R2) requires a risk assessment “based on an understanding of business processes and business risks, user and regulatory requirements, and known functional areas.”1 Sponsors are advised to include assessments of system impact and data integrity; system complexity and novelty; and the ability to leverage vendor validation tools and services.

In YPrime’s experience, Begley notes that there a good deal of variability regarding vendor validation.

 “We’ve seen many sponsors who have their own vendor management process which outlines standardized questions posed for all vendors. This usually features an internally understood number or status for vendor risk level and/or amount of testing that may be required as part of the sponsor’s system UAT (User Acceptance Testing). In most cases, there is a lot of room for improvement.”

Maintaining SOPs.

ICH E6 (R2) details the following requirements for SOPs that discuss system requirements and intended use.1 

System validation SOPs. The software validation SOP must describe the risk-based validation approach and how it is conducted.  This might include:  different approaches to be used for different types of software – such as custom, configurable, and Software as a Service. Sufficient detail must be given so that validations are performed consistently. Functionality testing procedures need to cover the minimum requirements to be used for validation testing. The SOP also should describe the testing environments and any associated electronic tools that are used. The use of these tools must be documented to ensure consistent use by all vendor staff.

Data collection and handling system SOPs should detail the key requirements for data handling, usage and other security information.

System maintenance SOPs include:

System security measures.  SOPs must cover access control, password requirements and other important security measures associated with the computerized system and its associated devices

Change control. SOPs should describe the requirements for documenting and evaluating a change prior to implementation. Change control is essential when a new function is introduced, when system upgrades are planned, and when major changes to the overall system are required or planned. Some changes may impact patient safety or data integrity; it is critical that the vendor’s process not only includes assignment of risk but impact assessment. ICH E6 (R2) requires sponsors to ensure integrity of data—particularly data that describe context, content, and structure—when making changes such as software upgrades or migration of data (a provision consistent with FDA Part 11 regulation on electronic systems). All software validation changes should be documented and maintained for later reference.

Data backup and recovery. The SOP must cover the data backup process and its restoration options for the data within the system. It should include timeframes for how long data will be kept in a safe and secure location.

Contingency planning. This SOP should provide various options for short- and long-term business continuity—for example, options available if the system is not functioning or if there is a loss of power.

System decommissioning. The decommissioning SOP details the controlled deactivation of a computerized system, together with the appropriate documentation. ICH E6 (R2) suggests sponsors consider using templates to help capture required information in a consistent way.

Certified Copies

A certified copy must have “the same attributes, context, content and structure” as the original record. Copies must be generated by a validated process that ensures all participants are consistent in verifying the trial information when it is copied, and copies must be verified by date and signature.  These rules apply to paper-to-paper copies as well as paper-to-electronic records.

The Goal: Ensuring Patient Safety and Data Integrity

“From a regulatory point of view, there is increased scrutiny of systems that support eligibility requirements as well as collection of endpoints. Decisions are being made by clinical scientists based on the data these systems are collecting and reporting—everything from patient safety issues to product labeling,” Begley says.

“Traditional reviews and sign-offs are not sufficient. The industry has to move away from reactive corrective action and toward proactive risk management practice to make sure system requirements and validation is robust. E6 (R2) is about making sure the system does what it is intended to do.”

The Future: Comprehensive Risk and Quality Management in eClinical Systems 

ICH E6 (R2) marks a new era for quality management in clinical research. Moving forward, it will not be enough to focus only on the design and infrastructure of eClinical systems. The new requirements for comprehensive risk assessment and mitigation go beyond planning to include active monitoring, periodic reviews, and quick action to address any issues that arise related to data integrity.

To ensure compliance with the revised guideline, sponsors are now incorporating data integrity standards and formal review plans in their eClinical systems. To manage affirmation of data integrity, YPrime advises sponsors to give special consideration to the following:                                      

  • Make data integrity plans specific to your organization and study types.
  • Schedule process reviews at regular time points.
  • Create study-specific plans to review data integrity and potential vulnerabilities.
  • Document your plan so it may be presented to regulatory authorities at any time.
  • Classify data by level of risk to safety and integrity: it is not necessary to treat all data equally.
  • Create use cases to further monitor data integrity.

In routine interval reviews, sponsors should address key elements of audit trails and data changes. User access is another important consideration. Periodic process reviews should assess controls for system access: Are users current on their assigned roles? Are users inactive or missing from the system? Your eClinical vendor can build reports to monitory user activity. Sponsors will need to plan a systematic approach for user management that can be shared with regulatory authorities. 

Benefits of Partnering

As sponsors take on the challenges of risk-based quality management, there are numerous opportunities to partner with eClinical providers. Both sponsors and vendors will be adopting a new risk-based mindset.

For sponsors, risk-based thinking starts by focusing on how you can demonstrate proof of oversight and control to ensure data integrity. “We advise sponsors to configure their data checks in conjunction with their vendor’s current capabilities and then work toward future improvements,” Begley says.

For vendors, complying with the risk-based guidance will require new ways of thinking about technology. “We have to think beyond simply collecting data. We need to share audit trail information with sponsors and help them access and monitor their data. This kind of partnering means we can play an important role in advancing data integrity and in demonstrating effective risk management practice.”   


[i] Leister SM, 2018. Risk management in clinical trials. The new ICH E6 focus. FDANews Report.

[ii] European Medicines Agency. ICH E6 (R2) Good clinical practice: Revision 2 – Adopted guideline, published 15 December 2016. Visit: https://www.ema.europa.eu/en/ich-e6-r2-good-clinical-practice.