The team are often asked about ICH E6(R2), both because of their in-depth knowledge of the guidance, but more importantly, what implementing RBQM means on a practical, day-to-day basis for both Sponsors and CROs.  Below are questions we've been asked in our webinars, but if you have any questions of your own, please get in touch.


What qualifications or who meets the acceptability to certify copies?


I think to answer this question you need to first consider what the process for certification will be.

For example, if the certification is of a document that is generated from a system, through a non-validated process how would a person go about confirming the data on the copy has the same information, include the data, the context, content and structure as the original data in the system? This may be more straightforward with some systems than others, is all information visible on a screen, or is some information hidden, does all data in the system print out on the report, if not is the data relevant, does this system hold an audit trail, is this available for the data being exported/copied? This may require someone with a different skill set than say someone making a scan or photo copy of a paper document where the process is much more straight forward as it is a direction comparison, and they may need to also assess legibility, before certifying.

Either way, the process needs to be defined and the organization must train those individuals who will be responsible of the process.


eData handling - what is the impact beyond IT, e.g. is DM responsible for checking all updates that EDC vendor makes?

1.65, 5.5.3

No, but the EDC vendor and their SDLC/CSV SOPs should be assessed as part of the vendor assessment/qualification process conducted by QA.


Do the edata handling requirements apply to all vendors, e.g. regulatory vendors we might use for electronic publishing of regulatory submissions (eCTD format)?

1.65, 5.5.3

Yes. Best practice would be to review what the vendor is required to do and if their scope would potentially impact subject protection and/or data integrity. Based on the outcome of this assessment, the scope of expected validation activities performed by/required of the vendor should be determined and this should form part of the vendor assessment.


Do you see the changes in CSV as new or just catching up with the current validation process that the FDA guidelines cover?

1.65, 5.5.3

Mainly catching up with FDA guidelines and GaMP guidelines, GaMP5 allows for a risk based approach to validation, which is supported in E6 R2.


During the discussion surrounding electronic data and ensuring validation, compliance to 21cfr11, etc.. does this requirement apply to the use of Adobe for the creation of electronic signatures? Adobe is not validated.. this is why I ask

1.65, 5.5.3

It depends on how Adobe is being used, if it is stated in process that you are using electronic signatures for control documents and these esigned documents will be part of your 'system of record', if this is implemented through Adobe, this would not fulfil the requirements of electronic signatures or validation. Documents generated through this processes would therefore not be considered to meet the requirements of electronic signatures or control, and would not be considered source or system of record.


What is the responsibility if the CRO is in charge of drafting the protocol?

5.0, 5.0.1 - 5.0.7, 5.2.2

The same process would apply, risk assessment (ideally jointly with the sponsor) should be conducted, beginning with evaluating what is critical and identifying/evaluating the risk around it, where possible agreeing risk reduction/elimination with the sponsor and if not, then agreeing risk controls to implement and monitor (in the wider sense of the word) during the trial. I would recommend that the functions involved in the trial are involved in the risk assessment process


What if the risk is out of the CRO's management/control, though still having probability & magnitude as the budget assigned to sites for example?

5.0, 5.0.1 - 5.0.7, 5.2.2

This is important from the CROs perspective. I think documenting the risk and agreeing the control mechanisms with the sponsor is critical in this scenario, ultimately the controls will be agreed to by the sponsor, if they do not agree to the controls, you could argue this increases the risk, but documenting the risk and the likelihood and magnitude should help the sponsor understand the rationale behind the reason for the recommended controls


How is the CRO receiving Sponsor's delegation to this quality management action? Any specific message mandatory for us (CRO) being responsible?

5.0, 5.0.1 - 5.0.7, 5.2.2

This should be worked out as part of the contract, but it is worthwhile to have your own SOPs that cover the process of quality (risk) mgmt. I often recommend that it is good practice to perform an early critical variable and risk assessment as part of the RFP process. As the sponsors representative for the areas that are delegated to you (the CRO) you will have some level of responsibility for identifying and managing the risks in conjunction with the sponsor. I would recommend as a best practice that you (the CRO) has a risk assessment and mgmt. process in place and conduct your own risk assessment of the protocol, this process can also be conducted in conjunction with the sponsor (ideally a joint process would be conducted). The outcome of risk assessment, as you will see as the presentation progresses, should inform the functional activities and functional plans, e.g. Monitoring, Data Mgmt, Supplies etc.


Is the task of quality management now implicit as part of delegated study activities mgmt. to a CRO?

5.0, 5.0.1 - 5.0.7, 5.2.2

Yes, as more regulatory authorities adopt R2, the expectation will be there that this process is accounted for in the QMS of all vendors involved in trial conduct, and it may be conducted independently or in conjunction with the sponsor (I would advocate it is a conducted as a joint activity). The sponsor is ultimately responsible but as the representative, your processes should cover this.
Interestingly, in a recent presentation at the Global QA meeting in Edinburgh (02 Nov), the EMA representative, Sophia Mylona, publicly stated that the EMA would expect sponsors (and their representatives) to implement R2 principles retroactively to ongoing studies, where is made sense and was practicable, I would suggest this means, if you have protocol amendments, the Q(R)M processes should be applied, but Sophia also indicated this could apply to monitoring findings e.g. applying root cause analysis methods, assessing overall risk to other sites and implementing changes to monitoring plans as necessary. So if you are working in areas under EMA jurisdiction or the study data may be submitted to the EMA, this is something to be thinking about as it is now in effect as of 14 Jun 2017.


Risks are always identified as potential facts right?. I mean errors done with the ICF for example (as not timely approved by ECs although used) are already deviations, not risks.

5.0, 5.0.2

I like to think of this using the simple worked example below.
Fact: Known Information e.g. the study drug has a short shelf life due to lack of stability data
Risk: What could go wrong? e.g. Study duration may exceed the shelf-life. What would be the impact? e.g. Cost of re-labelling, cost of manufacturing additional supplies, suspension of subject recruitment and/or treatment, safety concerns and possible impact on results due to treatment interruption. What could be done to mitigate? e.g. Continue with long term stability research; Budget for additional supplies; put plan and forecast in place to detect and monitor when additional supplies/re-labelling will be required to avoid treatment interruption/recruitment suspension.
Issue: What has gone wrong? e.g. Confirmed that study term will exceed shelf-life. What has been affected? e.g. Nothing at this time (as we have forecast and detected the date where mitigations need to become effective) Was it a previously identified risk? Yes What has been done to mitigate? e.g. Budget secured for additional supplies/re-labelling; date for this to become effective has been forecast in advance, process for additional supplies to be shipped/re-labelling to be conducted is in place so time to put plan into effect. Act to resolve: e.g. Implement re-supply/re-labelling plan.
What risk assessment allows us to do is to be proactive and better prepared for dealing with issues before the impact escalates.


What is the definition of 'safety'. protecting subject 'safety'. I believe this really means AE/SAE, etc. However, as a CRA we often hear it referenced to 'safety' labs. e.g., general chem, haematology, etc. These are referred to safety labs and may have no bearing on critical data. Isn't it the PI's responsibility to review these 'safety labs' and track his/her subject's safety?


One of the core principles of GCP is to protect subject rights and well-being, often this is paraphrased as 'subject safety' but this is only one aspect. All parties involved in clinical trials are responsible for collectively protecting the rights and well-being of subjects. This begins with the sponsor in protocol development, evaluating the risk-benefit of the protocol procedures that the subject will undertake and ensuring that we are not exposing the subjects to risk unnecessarily, and putting controls in place where risk is necessary. You are correct, the PI is responsible for the subjects care, and ensuring that any decisions on the subject medical care has the subjects' well-being at the core. As a monitor (CRA), you are overseeing how the PI/site is conducting the protocol, ensuring they are following protocol procedures, which are in place not only to meet the objectives of the study but to protect the subjects' well-being. Not all data that is collected in a clinical trial is 'critical', what we need to do is determine what is and ensure that our activities focus on these areas. Some things, such as safety labs, are routine clinical care and is the responsibility of the PI and site staff, but there may be key elements of safety labs e.g. ALTs that are of particular interest because to the current safety profile of the drug that may be of particular interest that must be a focus of monitoring activities. There are some changes being put forward by industry bodies around the difference between SDV and SDR, you may review (SDR) and verify (SDV) specific tests in a series of labs, looking for specific values/AEs for all subjects but only review all labs for a small percentage of subjects to determine if there is any persistent behaviour/practice evident at the site that would put the subject or the data the site is producing at risk.


How are the regulators viewing non brick and mortar sites (i.e. telehealth)? How does this fit in the new Quality Management system?


Quality Mgmt still applies, in fact, more so in this scenario. The risks to the critical variables should still be assessed and controlled, and the provision for central monitoring activities should very much support the requirements of this scenario. We are expecting similar requirements to be added to E8 General Considerations for Clinical Trials, in the next 18 months, so all types of research will be expected to follow this approach.

Triumph Research Intelligence Limited

1 Signet Court

Swanns Road



United Kingdom

  • LinkedIn Social Icon
  • Twitter Social Icon
  • Facebook
  • YouTube