Submission of comments on 'Guideline for the notification of serious breaches of Regulation (EU) No 536/2014 or the clinical trial protocol' Draft (EMA/430909/2016)

Comments from:

KKS-Netzwerk e. V. – Netzwerk der Koordinierungszentren für Klinische Studien, Deutsche Hochschulmedizin e. V. und TMF Technologie- und Methodenplattform für die vernetzte medizinische Forschung e. V., Germany

1. General comments

We want to thank the EMA for its efforts to illustrate what would have to be considered as a serious breach by providing a (non-exhaustive) list of examples and to outline the processes concerning the notification of a serious breach. We appreciate that this is meant to support the sponsor in his judgement whether an event fulfils the criterion of being a serious breach, but there are still important issues outstanding or unclear. We therefore are thankful to be able to comment on the provisions made in this important guideline. 

1) Reporting of serious breaches

In general, a serious breach should be considered an exception and should not be mixed up with the routine procedures for amending a study protocol. It should also be in the interest of Member States that no overreporting occurs as it is the case with SUSARs as the “receipt, evaluation and follow up of serious breaches” are part of the supervision of clinical trials by Member States (see Appendix on disclosure rules to the ‘Functional specifications for the EU portal and EU database to be audited’ - EMA/228383/2015, 4.5).

Unfortunately, in contrast to the above mentioned a lot of issues which currently require an amendment to the protocol would be judged as a serious breach according to the guideline. Therefore, we would very much recommend looking e. g. at the list of examples again. 

Among other things, from our point of view e. g. a distinction should be made whether

• a sponsor is informed about an issue that is likely to affect to a significant degree the safety and rights of a subject or the reliability and robustness of the data generated in the trial by a third party: this should be regarded as a serious breach, 

or, in contrast,

• the sponsor himself becomes aware of an issue e.g. in the protocol: this should be treated via an amendment and should not have to be classified as a serious breach.

2) Examples of serious breaches

Furthermore, the examples provided in Appendix I are demonstrating the possible arbitrariness in evaluating whether something would be a serious breach (also from the competent authority view):

a) Category "Sample processing", example 1: For this issue the submission of an substantial amendment is necessary. When would the timeline for notification start in this example as a secondary endpoint is generally not depending on the number of subjects in the trial?

b) Category “Protocol compliance”, example 2: when should this be notified?

c) Category “Protocol compliance”, example 4: this example shows how extendable the prerequisite “likely to affect patient safety…” is.

3) Withdrawal of a “serious breach” from the database if it not met the definition of a serious breach after further evaluation

A serious breach should be reported on “reasonable grounds” (70); however, if further investigation leads to the conclusion (on reasonable grounds) that the notified serious breach did not fulfill the criteria of a serious breach, there should be a system in place by which the sponsor could nullify (including justification; see SUSAR reporting) the report of the serious breach and it could subsequently be withdrawn from the database. To our opinion it is very important to add such a possibility, i.e. as we expect overreporting as mentioned above. Such a process is already implemented in the EudraVigilance DB where a „Nullification request“ for reports is foreseen (see 5.2.10 in EudraVigilance Stakeholder Change Management Plan: http://www.ema.europa.eu/docs/en_GB/document_library/Regulatory_and_procedural_guideline/2015/10/WC500196029.pdf).

This could be in addition to the process by which Member States conclude that no serious breach had been substantiated and therefore no details of the reported breach will be published (see Appendix on disclosure rules to the ‘Functional specifications for the EU portal and EU database to be audited’ - EMA/228383/2015, Chapter 4.5.3, 1.1).

4) Timeline for notification

The guideline should not go beyond the legal basis in article 52 of Regulation (EU) 536/2014 (subsequently Regulation), e. g. with regards to the timeline for notification. Therefore, the 7-day-timeline for notification should start when the sponsor or a legal representative of the sponsor becomes aware of the serious breach (according to article 52 of the Regulation), not when any other third party or a contractual partner becomes aware of it. This should be unequivocally clear.

5) Clarification needed for protocol deviations reported in an eCRF

Some protocol deviations are documented in the eCRF, e. g.

• non-compliance regarding the visit schedule
• co-medication which was excluded
• (incorrect) application of the investigational medicinal product (Dose, batch…)
• (incorrect) conduct of investigations
• further parameters which are judged to be important and which therefore shall be analysed centrally (e.g. via central monitoring)

In this case it is not clear what would have to be taken as timepoint the sponsor became aware of the breach:

a) The day of entry into the eCRF? This would necessitate special alert systems on distinct eCRF-items by which the Sponsor (Sponsor delegate) would be informed by immediate notice about entry of incorrect values. Otherwise, it would not be realistic that the 7-day-timeline for notification could be kept.
or
b) The day of the central monitoring, which is conducted in regular intervals? 

The preferred option would be b). Clarification would be helpful.

6) Notification form

A form should be added as an appendix which can be used for notification of serious breaches. This should include the minimum items to be reported and how the summary of the information should be structured. Appendix II is not regarded as sufficient in this respect (see also Appendix on disclosure rules to the ‘Functional specifications for the EU portal and EU database to be audited’ - EMA/228383/2015, Chapter 4.5.3, 1.6).

7) Glossary

We recommend adding a glossary in which terms like e. g. “technical deviation” are defined.

Further general comments

Chapter 7 is in large parts redundant to what is stated previously and could be shortened.

In general, the guideline should recommend that the process for assessment, notification and handling of serious breaches is included in the Risk management plan.

The process in case of co-sponsoring according to article 72 is not defined in the guideline.

In our opinion, the guideline is still vague in a lot of instances as described above.

2. Specific comments on text

Line 40

Comment:
Please define in more detail what it means “to affect to a significant degree the safety and rights for a subject or the reliability and robustness of the data generated in the clinical trial”?

Proposed change (if any):
Add definition of significant.

Line 51

Comment:
We find Chapter 3.1 too short. It is not stated who should perform the assessment of a serious breach and whether the assessment of the serious breach can be delegated.

Furthermore, it is not clear in the guideline whether the sponsor can delegate the notification (taking e. g. into account the statements in line 51 and line 59) as the statements are ambiguous.

Proposed change (if any):
To add information about who should assess and notify serious breach.

Line 52

Comment:
More comprehensive examples of “another party” are needed.

Proposed change (if any):
Third party provider should be added.

Line 55 and 70-76

Comment:
The timeline for notification based on the Regulation is very short. This might lead to overreporting, as it is difficult to proof the “robustness of the data” in this short time frame.

As written in line 36-38, Article 52 of the Regulation stipulates that “the sponsor shall notify …within seven days of becoming aware of that breach.” In line 55 to 57 this timeline is extended to “anyone who has a contractual agreement with the sponsor…”.

This additional element is not in line with the Regulation. A guideline cannot go beyond the underlying legislative text, line 55 to 57 therefore need to be re-worded to take account of this. Only if the sponsor delegates the notification function (see line 65-66) the timeline starts when this delegate becomes aware of the breach.

Proposed change (if any):
Re-wording of line 55-57 to “Within 7 calendar days of the sponsor becoming aware of the breach”.

Line 60-61

Comment:
The statement in line 60-61 is referring to an obligation in line 55-57 which is not covered by the regulation (except if the sponsor has delegated sponsor related obligations as e. g. the notification of serious breaches to a Third Party, a case already covered in line 65-66 (see also comment regarding line 55-57and 70-76).

Proposed change (if any):
Delete sentence.

Line 70-73

Comment:
What is “reasonable grounds”? This is very vague. Over-reporting is to be expected (as has happened in case of SUSARs).

Proposed change (if any):
Define more precisely.

Line 73-76

Comment:
What degree of investigation and assessment and in which cases is expected prior to notification? If the investigation needs to be taking place within 7 calendar days, this would lead to reporting of almost everything that could possibly meet the definition of a serious breach.

Proposed change (if any):
Re-consider start of timeline if prior investigation is needed to confirm that a serious breach has occurred.

Line 71-86

Comment:
Line 71-76 and 77-86 are somewhat in contrast to each other. This would be a very subjective judgement if it is not clear what “significant” means.

Proposed change (if any):
Please clarify this issue.

Line 73-83

Comment:
A serious breach should be reported on “reasonable grounds” (70); however, what if further investigation leads to the conclusion that it was not a serious breach -> can a report of a serious breach be withdrawn or nullified?

In addition, is there a link to the urgent safety measure reporting (risked based management) if the serious breach leads to immediate actions?

Inconsistent reporting by different parties (s. a. line 173 – 175) should be avoided.

Proposed change (if any):
A process should be added how a “serious breach” can be withdrawn from or nullified in the database. See also general comment.

Line 112

Comment:
Definition of “technical deviation” is missing.

Proposed change (if any):
Add definition of “technical deviation”.

Line 113-116

Comment:
This is a guideline concerning serious breaches, not concerning the handling and reporting of general or technical deviations occurring during the clinical trial and regarding the CSR. The sentences “These cases should be documented (for example, in the trial case report form or the trial master file) in order for appropriate corrective and preventive actions to be taken. In addition, these deviations should be included and considered when the clinical study report is produced, as they may have an impact on the analysis of the data.” are therefore superfluous.

Proposed change (if any):
The two sentences should be deleted. If not deleted, at least the words “in the trial case report form or” should be deleted.

Line 123ff

Comment:
What is “a breach which is likely to affect to a significant degree…”? The definition is very vague.

Proposed change (if any):
Define more precisely.

Line 149

Comment:
The whole chapter deals with responsibilities to fulfil the legal obligations for notifying serious breaches. Therefore in recognition of the importance of the content the chapter should be transferred to the beginning of the guideline.

Proposed change (if any):
The chapter should be transferred to the beginning of the guideline.

Line 158

Comment:
Who will be able to see the information and when? This is very important i.e. if the serious breach cannot be confirmed in the follow up.

Proposed change (if any):
Clarify in the guideline (in addition to the Appendix on disclosure rules to the ‘Functional specifications for the EU portal and EU database to be audited’ - EMA/228383/2015, Chapter 4.5.3, 1.1).

Line 172/173

Comment:
A definition of “staff” is missing.

Proposed change (if any):
Add definition.

Line 178-180

Comment:
It might lead to confusion what is subsumed under the term “site” here.

The terminology is not consistent in the guideline: the term “investigator site” (163) was used in different ways “other sites” (201), “EU/EEA sites” (202), “site” (page 11) and “trial site” (page 11) is used in the same context.

In addition, the term “site” is used for third parties.

Proposed change (if any):
Please use a defined and consistent terminology throughout the guideline.

Line 189-191

Comment:
Reference to Regulation (EU) 526/2014 would be useful.

Proposed change (if any):
Add reference to article 38 of Regulation (EU) 536/2014.

Line 207ff

Appendix I - Examples of serious breaches, Category IMP

Comment:
The example from line 134-135 should be added to examples for category “IMP”.

Proposed change (if any):
Add example.

Appendix I - Examples of serious breaches

Comment:
In general, the examples in the different categories should be numbered.

Proposed change (if any):
Add numbering.

30 Churchill Place ● Canary Wharf ● London E14 5EU ● United Kingdom
Telephone +44 (0)20 3660 6000 Facsimile +44 (0)20 3660 5555
Send a question via our website www.ema.europa.eu/contact

© European Medicines Agency, 2017. Reproduction is authorised provided the source is acknowledged.