ICH E6 (R3) and Risk-Based Quality Management
Webinar Recap
If you joined us live, thank you. If you’re reading this now, you’re in the right place. On Wednesday 10th September, we hosted our latest TRI webinar because so many of you asked the same question in different ways: What does ICH E6 (R3) really change, and how do we adapt fast without losing momentum?
Over 40 minutes, we unpacked the guidance and debated what it means in real life. Below we break down the core topics, insights from our expert speakers, what matters most for your next study, and practical next steps you can take.
Why We Held This Webinar
While R2 built on the foundations of R1, R3 marks a complete reframe of the guidance.
It’s now a standalone guideline organized around 11 core GCP principles, and it puts Quality by Design and proportionate risk‑based approaches at the center of how trials are planned, run, and governed. For anyone accountable for clinical trial compliance, that shift is significant.
What We Covered: The Big Shifts You Can’t Ignore
E6(R3) is standalone
In R2, guidance felt bolted on. In R3, the structure itself signals intent: quality by design (QbD) and risk‑based thinking aren’t optional. As TRI CEO Duncan Hall said on the day, “Before you’ve reached page five, the message is clear: RBQM is now how we run compliant trials.”
CtQ factors widen the lens beyond data and processes
R2 talked “critical data” and “critical processes.” R3 pushes us to identify Critical‑to‑Quality (CtQ) factors across everything that could impact quality and safety, vendors, devices, systems, and IP supply chain included. That widens risk identification and tightens accountability.
RBQM is explicit
Section 3 puts responsibility for implementing risk‑proportionate approaches squarely with sponsors. That means risk assessment at start‑up must drive priorities, controls, and monitoring strategies across the trial life cycle.
Centralized monitoring becomes the lead approach
R3’s wording matters. As Duncan Hall shared during the session, “Central monitoring can determine the extent and frequency of site monitoring, or be used on its own.” In other words, centralized monitoring leads, with on‑site and remote visits aligned to risk, not routine.
Data governance gets teeth
A new section introduces concrete expectations across the data life cycle: metadata capture, periodic audit trail review, and robust controls for computerized systems (access management, data security, backups/disaster recovery, validation). This is core GCP compliance.
SDV is risk‑based
R3 clarifies what many have been moving toward: Source Data Verification should focus on critical data only. That’s an efficiency gain if, and only if, your CtQ and monitoring strategy are strong.
What Our Experts Said (and Why It Matters)
“It’s time for industry to get properly serious” – Gerard Barron, Phraktion
Gerard reminded us that R3 brings opportunity and expectation: better insight through centralized monitoring, but also higher standards across people, processes, and systems. It likely means new roles (central monitors and data‑driven reviewers who aren’t classic CRAs or pure data managers) and new training to make decisions from risk signals, not rear‑view deviations.
Proportionate approaches for companies at different stages
Gerard also contrasted realities: early‑stage biotechs need proportionate, pragmatic RBQM from day one; later‑stage companies must retrofit while running. That only works when senior leadership backs the shift and protects teams’ time to plan and adapt.
Collaboration and transparency between sponsors and CROs
“Sponsors now expect deeper collaboration in risk assessment, and traceable, audit‑ready transparency throughout.” – Rohit Gupta, Indero
Rohit sees sponsors leaning in earlier, co‑defining risks, controls, and KRIs at start‑up, aligning functional plans, and creating feedback loops that prove controls are working (or trigger change when they’re not). The CRO role is evolving from executor to co‑owner of risk and quality, with central data review and cross‑functional signal detection built into business as usual.
What This Means for You
Make CtQ real, not theoretical
Run a cross‑functional workshop to identify CtQ factors beyond data: vendors, devices, logistics, system integrations, and patient‑reported channels. Prioritize by impact and likelihood. Document the “why.”
Tie monitoring to risk signals
Define centralized monitoring as the primary oversight model. Decide what triggers on‑site or remote visits. Align KRIs/QTLs (acceptable ranges) to CtQ factors and agree in advance what happens when they’re breached (including root‑cause analysis).
Treat data governance as part of quality
Validate key systems proportionately. Confirm metadata is captured at the point of data entry. Schedule periodic audit trail reviews. Test access controls, backups, and disaster recovery playbooks.
Upskill the team intentionally
Create (or formalize) central review roles. Train teams to interpret risk indicators and act early. As Gerard stressed, this is people change, plan for it.
Share accountability with your CROs
Bring your CRO into risk assessment and control design at start‑up. Ask for visible, traceable dashboards that map risks to actions and outcomes. Make the governance cadence explicit.
If You Remember One Thing…
E6 (R3) codifies the direction the best teams were already heading: design for quality, manage by risk, monitor centrally, and govern data like it matters (because it does). The winners will be those who operationalize this, before inspections force the issue.
If you want to turn these principles into your study‑level plan, the team at TRI are happy to help. We’ll show you how OPRA, our RBQM software, makes this real: one platform to design, implement, and monitor risk-based quality management with full transparency and inspection readiness built in.