There is nothing more important than patient and consumer safety. At the end of the day; in all that we do; the drugs, devices and products we produce; we must do no harm. There are so many ways of ensuring patient safety. We have regulations, protocols, well-trained staff, validated IT systems etc., but the one I am going to discuss here is the serious breach process.
What is a serious breach? It is a breach of a clinical trial protocol that is likely to affect, to a significant degree, the safety (both physical and mental) and rights of a subject or the reliability, robustness or scientific value of data generated in a clinical trial. Deviations from protocols and GCP commonly occur in clinical trials, the vast majority of which are minor deviations that do not result in harm to the trial subjects or affect the data outcomes. In these cases, we follow the normal process of documenting the deviation and taking the appropriate corrective and preventative actions. However, sometimes the deviation is more serious, so how do you handle these instances? How do you assess whether a breach is serious? Who gets involved? How do you report it, etc.?
Let’s first see what the regulations say: adherence to the principles of GCP is universally accepted as a critical requirement to the conduct of research involving human subjects. In the US, there is no specific regulation discussing serious breaches per se, however all the regulations point to the essential requirement of human subject protection and handling of non-compliance. Details can be found on www.fda.gov (and then search: running clinical trials, regulatory information guidance’s, reporting problems to the FDA, etc.). In Europe, the regulations are more specific; EU No 536/2014 states, “The sponsor shall notify the member states concerned about a serious breach or of the version of the protocol applicable at the time of the breach through the EU portal without undue delay, but not later than 7 days after becoming aware of that breach.” Although there is delay in the implementation of the EU portal, it is still an expectation that we follow the serious breach process. What about ICH E6(R2) Addendum? If you go to section 5.20 (Non-compliance), it reads “5.20.1 If noncompliance that significantly affects or has the potential to significantly affect human subject protection or reliability of trial results is discovered, the sponsor should perform a root cause analysis and implement appropriate corrective and preventive actions.”
So, let’s get down to the details of what this means for you as a sponsor:
- You need a serious breach process! It sounds obvious, but there is a lot of thought needed behind this requirement.
- Document your process in a Policy or SOP. If you don’t have a documented process, it most likely will be a Health Authority inspection finding. Include who owns the serious breach investigation process, who should attend, who makes the decisions, how do you escalate, who reports, etc. in your process. You may also want to “Charter” the constitution of the serious breach committee. However you decide to document the process, it should be formal and include receipt, assessment, investigation, escalation, CAPA and reporting to the HA(s).
- When should a breach be reported to the Health Authority (HA)? Within 7 calendar days of the sponsor or anyone who has contractual agreements with the sponsor (e.g. vendors, suppliers, CROs etc.) becoming aware of the breach. This means that you need to clearly define Day 0; is this the very first awareness at the clinical trial site or when the sponsor or CRO become aware?
- Sponsor oversight is a critical element of ICH GCP. Make sure you document, in the contract or other documented communications with your vendors, when they must report non-compliances / serious breaches to the sponsor.
- What happens if the breach needs significant and lengthy investigation? It is important to report first and then continue to investigate the details, which can be provided later to the HA. When reporting, consider who else externally needs to be notified, e.g. the Investigation Review Board (Ethics Committee). If the clinical trial is halted, what other regulatory notifications need to be made?
- When you first start a serious breach process, expect over-reporting. This is normal; it might take a while before you hit the true level of reporting. It’s also not a bad thing to look at incidences that come close to a serious breach definition. This way you can potentially avoid a non-compliance situation down the line.
- The serious breach assessment itself should follow your Quality Management System (QMS). The investigation should be prompt, and you must perform a root cause analysis and assess the impact on the scientific value of the data, as well as the impact on patient safety. Once the root cause is known, then it should follow your routine CAPA system.
- Assume all cases of fraud are a serious breach. It’s okay to merge these two types of investigations together in the Policy or SOP.
- Consider also tying together the serious breach with your protocol deviation review process. You should define at what stage a multitude of minor deviations become a serious breach. How does the review of safety signal detection tie into the serious breach process? Are you able to recognize patterns of escalating non-compliance?
- A serious breach investigation must be documented and held for inspection. It must be retained for 25 years in the Trial Master File, but it’s a good idea to also keep a separate log of incidences ready for inspection. Remember, serious breaches also go in the Pharmacovigilance System Master File (PSMF).
- It is very useful to circulate the serious breach to relevant internal individuals so that it may be included in the Clinical Study Report or publications. It must also feed into the QMS and be captured at relevant management reviews to ensure it doesn’t reoccur.
- Don’t underestimate the significant effort required for staff training to create staff awareness and understanding.
I hope this was a useful, albeit non-exhaustive, review of the serious breach process. For those who enjoy reading the regulations, there are some very useful examples of serious breaches tabulated at the end of EU No 536/2014. Remember: it’s all about patient safety and good data.
About the Author: Jane Wood is the Principal of YourEncore's Quality Center of Excellence. With over 40 years global experience, Jane has led small and large teams of Quality professionals to mitigate risk and develop R&D Quality solutions. Jane currently leads a team of subject matter experts offering in-depth experience in all sections of Quality and GxP.