Features
January / February 2026

GAMP® and ICH GCP E6 Standards Keep Clinical Trials Current
Kevin Carey
0126_PE_JF_Carey

Clinical trial sponsors who delegate responsibilities to service providers supporting anything from a small, single-site Phase I study to a global Phase III program are now operating under a fully revised ICH GCP E6(R3).1

A Changing GCP Landscape

With its annexes underway, addressing a wide range of modernized Good Clinical Practice (GCP) principles, the updated framework places greater scrutiny on how computerized systems are managed and how data integrity is safeguarded. Although sponsors or investigators retain ultimate responsibility for trial conduct and compliance under GCP, ICH E6(R3) now expects them to maintain risk-based oversight throughout the entire engagement with service providers, as service providers play a direct, hands-on role in managing systems and processes that impact essential records, participant safety, and data integrity. Regulatory audits increasingly scrutinize service providers, particularly where computerized systems are used to manage essential documentation or trial-critical processes. Staying prepared is no longer optional; readiness has become a shared expectation between sponsors and their service providers.

ICH E6 Revisions Raise the Bar

The release of ICH E6(R3) marked a significant shift in expectations surrounding clinical research conduct (see Figure 1). Sponsors face mounting regulatory scrutiny, but service providers must also keep pace. For example, under ICH E6(R3), sponsors are responsible for ensuring the data collected by service providers is accurate, complete, and compliant with regulations. This includes having defined processes for data handling and transfer.

Maintaining standard operating procedures (SOPs) is not optional, particularly around computerized systems and supplier oversight. ISPE GAMP® 5 Guide 2nd Edition2 principles and modern approaches to computerized system validation provide the foundation for meeting today’s expectations. Without this, even well-established service providers risk falling behind, exposing their sponsors to compliance failures. Forward-looking service providers review their quality systems for gaps and ensure their teams understand both the rules and the reasoning behind the increased quality focus. Table 1 shows ICH E6(R3) requirements mapped to ISPE GAMP® 5 Guide 2nd Edition and ISPE GAMP® Good Practice Guide: Computerized GCP Systems and Data 2nd Edition guidance.

SOP Modernization: Applying Gamp® 5 Principles

Regulatory expectations concerning computerized systems continue to evolve. ISPE GAMP guidance notes that organizations should periodically review and update existing procedures to address gaps and align with risk-based, life-cycle-focused practices (e.g., ISPE GAMP® Guide: Records and Data Integrity and ISPE GAMP® RDI Good Practice Guide: Data Integrity by Design). Sponsors and regulators now look for clear, risk-based approaches grounded in the principles of ISPE GAMP® 5 Guide 2nd Edition. Service providers relying on outdated procedures, particularly in validation or supplier qualification, remain vulnerable to findings during audits. SOPs must do more than simply exist on paper; for example, computerized systems validation SOPs should be modernized to reflect ISPE GAMP® 5 Guide 2nd Edition as industry best practice, which not only reinforces the importance of risk-based validation but also clarifies expectations for suppler oversight, periodic review, and system life cycle controls.

Figure 1: Comparison Table: ICH E6(R3) Annex 1 vs. ICH E6(R2).
ICH E6(R3) Annex 1 vs. ICH E6(R2) – Data Governance
Comparison

ICH E6(R3) Section

  • 4.3 – Computerized Systems
  • 4.3.1 Procedures for the Use of
  • Computerized Systems
  • 4.3.2 Training
  • 4.3.3 Security
  • 4.3.4 Validation
  • 4.3.5 System Release
  • 4.3.6 System Failure
  • 4.3.7 Technical Support
  • 4.3.8 User Management

ICH E6(R2) Section

N/A – Significant revision introduced for both sponsor and investigator responsibilities.

Table 1: Mapping ICH E6(R3) requirements to ISPE GAMP® 5 Guide 2nd Edition and ISPE GAMP® Good Practice Guide: Computerized
GCP Systems and Data 2nd Edition guidance.
ICH E6(R3) Annex 1 vs. GAMP® 5 / GAMP® GCP Guide (2nd Editions)
“What” — ICH E6(R3) / Annex 1“How” — ISPE GAMP® 5 Guide 2nd Edition and ISPE GAMP® Good Practice Guide: Computerized GCP Systems and Data 2nd Edition
Procedures for Use of Computerized Systems
“Documented procedures to ensure the appropriate use of computerised systems in clinical trials for essential activities related to data collection, handling and management.” (ICH E6(R3) § 4.3.1)		GAMP guidance calls for operating procedures tied to the system’s intended purpose, defining user responsibilities and configuration controls.
Training
“The responsible party should ensure that those using computerised systems are appropriately trained in their use.” (ICH E6(R3) § 4.3.2)		ISPE GAMP® 5 Guide 2nd Edition emphasizes role-based training aligned to system criticality and user competence.
Security
“Security controls should be implemented and maintained including user management, backup, disaster recovery and IT security.” (ICH E6(R3) § 4.3.3).		ISPE GAMP® GCP Guide 2nd Edition describes risk-based security measures (access control, segregation of duties, audit-trail management) and reliance on supplier assurances for technical controls.
Validation
“Validation based on a risk assessment to demonstrate that the system conforms to the established requirements both standard and protocol-specific configurations.” (ICH E6(R3) § 4.3.4)		ISPE GAMP® 5 Guide 2nd Edition advocates a life-cycle-based, risk-proportionate validation approach; the ISPE GAMP® GCP Guide 2nd Edition provides practical templates for specifi cation, testing, and change-control in GCP use.
System Release
“Trialspecifi c systems should only be implemented, released or activated after all necessary approvals have been received. ” (ICH E6(R3) § 4.3.5)		GAMP guidance includes formal release criteria, verification steps, and documented approval gates prior to routine use.
System Failure
“Contingency procedures should be in place to prevent loss or lack of accessibility to data essential to participant safety, trial decisions or trial outcomes.” (ICH E6(R3) § 4.3.6)		GAMP guidance recommends documented contingency, fallback, and recovery plans, with periodic testing according to system criticality.
Technical Support
“Mechanisms to document, evaluate and manage issues, defects and issues should be resolved according to their criticality.” (ICH E6(R3) § 4.3.7)		GAMP guidance expects a support framework including help-desk processes, defect triage, trending of issues, and oversight of changes.
4.3.8 User Management
“System access limited to authorized users; roles and permissions defined and periodically reviewed.” (ICH E6(R3) § 4.3.8)		ISPE GAMP® GCP Guide 2nd Edition advises role-based access control, periodic permission reviews, logging of role changes, and leveraging supplier documentation to support the user life cycle.

Although sponsors or investigators retain ultimate responsibility for trial conduct and compliance under GCP, ICH E6(R3) now expects them to maintain risk-based oversight throughout the entire engagement with service providers.

Building on this foundation, the ISPE GAMP® Good Practice Guide: Computerized GCP Systems and Data (Second Edition)3 provides more targeted guidance for clinical settings. It highlights how SOPs should be structured to support supplier management. This includes qualification processes, the effective use of supplier documentation, and the evaluation of third parties’ ability to maintain compliance and data integrity throughout the system development life cycle. A dusty binder on the shelf will not protect a service provider’s credibility or its sponsor’s data integrity. It’s time to modernize.

Computerized Systems: Validating with GAMP® 5

Modern clinical trials rely heavily on electronic platforms to support GCP-regulated activities such as document management, data capture, and safety reporting. These systems require validation when they are used in ways that impact participant safety, data integrity, or essential trial records, not simply because they are electronic. Regulators have made it clear: sponsors remain responsible even when service providers manage these critical systems.

ICH GCP E6(R3), along with the European Medicines Agency Guideline on Computerized Systems and Electronic Data in Clinical Trials,4 reinforces that such computerized systems must be fit for purpose and proportionately managed according to their impact on participant safety and data reliability, responsibilities that sponsors retain even when delegated to service providers. This is where ISPE GAMP® 5 Guide 2nd Edition and ISPE GAMP® Good Practice Guide: Computerized GCP Systems and Data 2nd Edition provide a modern framework. Their risk-based approach encourages critical thinking, introduces layered validation tailored for clinical platforms and trial-specific configurations, and aligns directly with regulatory expectations, ensuring validation efforts are appropriate, responsibilities are defined, and the full system development life cycle from concept through retirement is properly controlled.

Case Study: Validation Remediation and QMS Strengthening

Background: Trusted System, Unseen Risk

This case study features a clinical service provider specializing in delivering positron emission tomography/computed tomography (PET/CT) and single photon emission computed tomography/computed tomography (SPECT/CT) scanner validation programs for clinical trial sponsors. The service provider used, in part, a widely adopted enterprise collaboration platform to manage GxP classified protocol records, many of which were considered medium- to high-criticality under ICH E6(R2),6 and assumed the underlying system was already properly validated or posed no inherent risk.

Trigger: Audit Uncovers Compliance Gaps

During a routine qualification audit by a trial sponsor, observations were raised regarding the provider’s use of the enterprise platform. Specifically, this was the lack of documented validation aligned with GxP compliance expectations. The focus turned out to be the site-specific SharePoint Online site used by the GCP team to manage protocol records, distinct from the broader, IT-managed SharePoint tenant, which was treated as non-GxP infrastructure. After all, it is easy to assume that if millions use SharePoint and Microsoft stands behind it, it must already “be validated.”

However, even if only a specific SharePoint site or application is used for clinical trial records, the ISPE GAMP® Good Practice Guide: Computerized GCP Systems and Data 2nd Edition risk-based framework advises treating that usage as a regulated system and governing accordingly. The absence of formal validation documentation and governance controls for this regulated use case resulted in a clear audit finding, leading to a formal risk-based remediation approach to correct the oversight and bring the system into a state of control.

Staying prepared is no longer optional; readiness has become a shared expectation between sponsors and their service providers.

Approach: Risk-Based Remediation Strategy

To address the audit findings and strengthen quality oversight, the service provider engaged external consultants to conduct a broader review of computerized system controls and quality documentation. The consultants began with a tailored initial system risk assessment in accordance with ISPE GAMP® 5 Guide 2nd Edition principles. This assessment helped shape a validation strategy scaled appropriately for the system’s actual role and regulatory impact. Critical thinking was applied throughout, ensuring validation decisions reflected good judgement rather than rigid templates.

Validation Deliverables and Activities

The validation activities included the following.

  • System risk assessment: Tailored assessment based on intended use and regulatory impact.
  • Requirements specification: Developed to align with ICH GCP E6, 21 CFR Part 11,5 and data integrity expectations.
  • Functional risk assessment: Simplified for an out-of-the-box platform.
  • Configuration specification (CS): Created to document the baseline setup of the SharePoint Online site provisioned for GCP activities. Although no custom features or enhancements were applied, the CS served to verify and record the default operational settings. Evidence was gathered from Microsoft 365 admin center exports, audit logs, and supplier certifications. This provided a traceable reference point, with provisions in place to revise the CS should future changes be made.
  • Supplier assessment: Performed on Microsoft 365 (SharePoint Online) through review of SOC-2 reports and supplier certifications.
  • Installation qualification protocol: Confirmed that the operational environment of the SharePoint Online site matched the documented baseline settings in the CS. Verification was based on observed tenant/site settings and supporting evidence from Microsoft 365 administrative tools.
  • User acceptance testing: Small, focused test script verifying GCP-relevant document controls.
  • Day-in-the-life test: Unscripted exploratory test reflecting typical real-world workflows of the SharePoint platform.

Efficiency was further achieved by combining deliverables where logical and providing manuals and computerized systems validation templates for future use. These included three main deliverables. The combined validation plan and test plan was integrated for simplicity, reflecting critical thinking in document efficiency. The operational manual was developed to support user training and ensure compliant day-to-day use. The reusable computerized systems validation templates were created for future system validation efforts.

Beyond SharePoint, the project expanded into strengthening the service providers’ overall quality management system (QMS). New computerized system validation SOPs were written in line with ISPE GAMP® 5 Guide 2nd Edition and GAMP® Good Practice Guide: Computerized GCP Systems and Data 2nd Edition and covered the following:

  • Supplier management: Qualification and oversight of third parties handling GxP systems
  • Periodic review: Regular checks to ensure systems remain compliant and fit for purpose
  • GxP risk management: Identifying, assessing, and mitigating compliance risks across life cycle stages
  • Test management: Planning and executing risk-based testing for regulated systems
  • Validation of GxP systems: Ensuring systems are fit for intended GxP use through evidence

In parallel, key staff were trained in the following. For good testing practices, staff learned how to apply critical thinking and risk-based decision-making to focus testing on what truly matters for validation, aligned with computer software assurance (CSA) principles as embedded within ISPE GAMP® 5 Guide 2nd Edition. For risk-based validation under ISPE GAMP® 5

Guide 2nd Edition, staff learned how to align validation effort with system complexity and regulatory impact. For data integrity, staff was trained to ensure accuracy, consistency, and reliability of the provider’s data throughout its life cycle. And for ICH GCP E6 essential records criticality, staff was trained to identify and protect records vital to participant safety and reliability.

Conclusion

The outcome was a SharePoint-based application brought into a validated state through risk-based remediation with governance focused on its GxP use. More importantly, the clinical service provider emerged with a modernized procedural framework and a workforce far better prepared for inspections and evolving regulatory expectations.

Fixing a gap after an audit is one thing; embedding lasting quality is another. Service providers can no longer rely on inherited procedures or informal knowledge transfer. Training on computerized systems validation, ISPE GAMP® 5 Guide 2nd Edition, ISPE GAMP® Good Practice Guide: Computerized GCP Systems and Data 2nd Edition, and ICH GCP E6(R3) should never be an afterthought. Rather, this guidance must be part of baseline competency. These updated guidelines provide a practical roadmap for modern compliance, offering direction on managing suppliers, scaling validation activities, applying critical thinking, and strengthening data integrity.

Sponsors are placing greater emphasis on seeing their service providers demonstrate preparedness and strong oversight practices instead of reacting after the fact. For service providers that invest in education and oversight, this helps meet evolving regulatory expectations. Further, it strengthens relationships with their clients. In today’s demanding, regulated environment, maintaining this level of readiness reflects quality leadership and long-term business resilience.

Information Systems Regulatory
Data Integrity GAMP®

Not a Member Yet?

To continue reading this article and to take advantage of full access to Pharmaceutical Engineering magazine articles, technical reports, white papers and exclusive content on the latest pharmaceutical engineering news, join ISPE today. In addition to exclusive access to all of the content in Pharmaceutical Engineering magazine, you will get online access to 24 ISPE Good Practice Guides, exclusive networking events, regulatory resources, Communities of Practice, and more.

Learn more about the valuable benefits you'll receive with an ISPE membership.

Join Today