Expert’s Opinion

Good Clinical Practice: Serious Breach Process

How to assess the significance of the breach, who needs to be involved, and how to report it

By: Jane Wood

Principal, YourEncore Quality Center of Excellence

There is nothing more important than patient and consumer safety. At the end of the day, the importance of safety lies in all that development teams do: the drugs, devices and products they produce. There are so many ways of ensuring patient safety. There are regulations, protocols, well-trained staff, validated IT systems etc., but a necessarily important concept to review is the serious breach process.

What is a serious breach? It is a breach of a clinical trial protocol that is likely to affect, to a significant degree, the safety (both physical and mental) and rights of a subject or the reliability, robustness or scientific value of data generated in a clinical trial. Deviations from protocols and GCP commonly occur in clinical trials, the vast majority of which are minor deviations that do not result in harm to the trial subjects or affect the data outcomes. In these cases, teams follow the normal process of documenting the deviation and taking the appropriate corrective and preventative actions. However, when the deviation is more serious, teams need to know how to handle the situation, how to assess the significance of the breach, who needs to be involved, and how to report it.

As FDA regulations report, adherence to the principles of GCP is universally accepted as a critical requirement to the conduct of research involving human subjects.In the US, there is no specific regulation discussing serious breaches per se, however all the regulations point to the essential requirement of human subject protection and handling of non-compliance. In Europe, the regulations are more specific; EU No 536/2014 states, “The sponsor shall notify the member states concerned about a serious breach or of the version of the protocol applicable at the time of the breach through the EU portal without undue delay, but not later than 7 days after becoming aware of that breach.” Although there is delay in the implementation of the EU portal, it is still an expectation that teams follow the serious breach process. In the ICH E6(R2) Addendum, section 5.20 (Non-compliance), it reads “5.20.1 If noncompliance that significantly affects or has the potential to significantly affect human subject protection or reliability of trial results is discovered, the sponsor should perform a root cause analysis and implement appropriate corrective and preventive actions.”

Every sponsor needs a serious breach process, and the outlined details are vital to each situation’s success:

·       Document your process in a Policy or SOP. If you don’t have a documented process, it most likely will be a Health Authority inspection finding. Include who owns the serious breach investigation process, who should attend, who makes the decisions, how do you escalate, who reports. In your process. You may also want to “Charter” the constitution of the serious breach committee. However you decide to document the process, it should be formal and include receipt, assessment, investigation, escalation, Corrective and Preventative Actions (CAPA) and reporting to the HA(s).

·       When should a breach be reported to the Health Authority (HA)?Any breach should be reported within seven calendar days of the sponsor, or anyone who has contractual agreements with the sponsor (e.g. vendors, suppliers, CROs), becoming aware of the breach. This means that you need to clearly define Day 0; this is the first awareness at the clinical trial site or when the sponsor or CRO become aware.

·       Sponsor oversight is a critical element of ICH GCP. Make sure you document, in the contract or other documented communications with your vendors, when they must report non-compliances or serious breaches to the sponsor.

·       What happens if the breach needs significant and lengthy investigation?It is important to report first and then continue to investigate the details, which can be provided later to the HA. When reporting, consider who else externally needs to be notified, i.e. the Investigation Review Board (Ethics Committee). If the clinical trial is halted, what other regulatory notifications need to be made?

·       When you first start a serious breach process, expect over-reporting. This is normal; it might take a while before you hit the true level of reporting. It’s also pertinent to look at incidences that come close to a serious breach definition. This way you can potentially avoid a non-compliance situation down the line.

·       The serious breach assessment itself should follow your Quality Management System (QMS). The investigation should be prompt, and you must perform a root cause analysis and assess the impact on the scientific value of the data, as well as the impact on patient safety. Once the root cause is known, then it should follow your routine CAPA system.

·       It is safe to assume most cases of fraud are a serious breach. It’s okay to merge these two types of investigations together in the Policy or SOP.

·       Consider also tying together the serious breach with your protocol deviation review process. You should define at what stage a multitude of minor deviations become a serious breach. The team should also recognize the strong relationship between safety signal detection and the serious breach process.

·       A serious breach investigation must be documented and held for inspection. It must be retained for 25 years in the Trial Master File, but it’s a good idea to also keep a separate log of incidences ready for inspection. Remember, serious breaches also go in the Pharmacovigilance System Master File (PSMF).

·       It is useful to circulate the serious breach to relevant internal stakeholders so that it may be included in the Clinical Study Report or publications. It must also feed into the QMS and be captured at relevant management reviews to ensure it doesn’t reoccur.

In formulating a serious breach process, sponsors should not underestimate the significant effort required for staff training to create staff awareness and understanding. The time spent on training and awareness now could prevent increasing time and cost demands down the line. For more useful regulation examples, reference the end of EU No 536/2014. A consistent serious breach process can lead to better patient safety and precise data.



 
Building on 40 years of industry and leadership experience, Jane brings a wide range of Quality & Compliance experience to YourEncore, tailoring Quality Management Systems aligning with ICH E6 (R2) and other regulations, developing strategies for weaving the business and R&D quality together, consulting on R&D quality and compliance issues. Jane specializes in helping prepare for, mitigate, and resolve global Regulatory actions, including mock inspections, assessments and audits. Jane most recently led the R&D Quality & Compliance function for Johnson & Johnson, leading a global team of 360 colleagues with broad-based GXP compliance responsibilities across the Pharmaceutical, Medical Device, and Consumer sectors.

Keep Up With Our Content. Subscribe To Contract Pharma Newsletters