6 Questions Answered about Serious Breach Reporting

Posted in Process Improvement

A Legal Requirement of the Clinical Trial Regulation (CTR)

What is a Serious Breach?

A serious breach is ‘Any deviation of the approved protocol version or the clinical trial regulation that is likely to affect the safety, rights of trial participants and/or data reliability and robustness to a significant degree in a clinical trial’. This is the definition in new guidance adopted by the EMA GCP Inspectors Working Group on December 13, 2021. It became effective on January 31, 2022, when Clinical Trial Regulation (CTR) 536/2014 went into effect. Many people may have missed its publication with it being the holiday season and/or preparing for the implementation of the Clinical Trial Information System (CTIS).

As per the guidance, a suspected serious breach means an incident which at the time of communication from investigators or from service providers to the sponsor has not yet been assessed by the sponsor to be a serious breach.

What are the reporting requirements related to the CTR?

The sponsor shall notify the member states concerned about a serious breach of the regulation or of the version of the protocol in effect at the time the breach occurs. The report is made in the CTIS portal without undue delay but no later than 7 days.

Who should make the report?

The sponsor is responsible for making the report via the CTIS system but can delegate the activity by means of a written agreement. Of course, like any other activity that is delegated, the sponsor retains overall responsibility and should ensure there is adequate oversight.

Suspected serious breaches should be reported promptly to the sponsor by investigators and service providers to allow time for investigation and determination of whether it is serious and requires reporting.

The sponsor should provide a dedicated, unique e-mail address and phone number that be reached 24/7 for these communications.

Note that it is calendar days, not business days. It is, therefore, important that investigators and vendors are trained to understand the urgency of reporting suspected breaches promptly, so the sponsor has time to investigate the suspected breach and report if they have reasonable grounds to believe that a serious breach has occurred.

How does the EU definition differ from MHRA definition?

Reporting of Serious Breaches of GCP or the trial protocol has been in place in the UK for many years. The most recent guidance was issued on July 8, 2020, and can be accessed here. Note that the MHRA definition has no mention of ‘rights.’

What should you consider when assessing a breach?

Keep in mind that the breach is not limited to the protocol requirements in effect at the time of the breach, but also if the incident is a breach of the CTR 536/2014.

The CTR has 18 chapters, 99 articles and 7 annexes. Determining a breach of the CTR will require familiarity with the content as well as the ‘live’ Q&A document posted in Volume 10 Eudralex, accessed here. CTIS requires that you indicate whether the breach is ‘protocol’ or ‘regulation’ related when making the notification.

If the protocol references ICH E6 R2, and the breach is related to an ICH E6 R2 requirement, the next question is whether the breach could be considered as ‘serious.’

The regulation uses the term ‘likely to affect.’ How likely is likely? More than 50%? More than 90%? We face the same dilemma with ‘to a significant degree.’ What is significant to you or to me may not be significant to others. It will depend on the context. Best practice may be to have a Serious Breach committee or review team which is convened to evaluate any incidents and determine whether reporting is required and documents the justifications of the decisions made (serious breach/not a serious breach).

The Guidance provides, as an example, a breach of the Regulation (EU) No 536/2014 or of the protocol (e.g., a mis-dosing in relation to an error) which may result in a Serious Adverse Event (SAE) or a Suspected Unexpected Serious Adverse Reaction (SUSAR). This can constitute a serious breach, if failure to manage safety events, for example lack of SUSARs reporting, results in trial participants being put at a significant degree of risk and needs to be reported.

Another important consideration is that if a serious breach occurred at an investigator site outside of the EU/EEA for a clinical trial authorised/conducted also in the EU/EEA and this leads to the removal of data from the trial analysis, then this should be notified as well. Hence the importance of training all investigators (not just EU investigators) on Serious Breach and the reporting requirements. Examples of serious breaches are provided in the Appendix to guidance and can be accessed here.

What actions might be taken by the Member State concerned when a Serious Breach is reported?

Serious breaches will be notified by the sponsors via CTIS. After submission in CTIS this information will be visible in the secure module of the Member States that can perform an assessment. The assessment of the serious breach done by the Member States will lead to the publication of the serious breach and the corresponding evaluation in the CTIS public domain.

It is too soon to assess the consequences of publication. Might that lead to investigators not being selected for future trials? How detailed will the publication be? Could it lead to underreporting if PIs or vendors fear the consequent publicity? Will it act as a deterrent and ensure that trials are conducted in compliance with the protocol and the regulation?

As per the guidance, some of the serious breaches reported will be managed in-house via acceptable Corrective and Preventive Actions (CAPA) and with the oversight of the Member State. Other serious breaches may require either an inspection and/or regulatory actions being taken.

Like many of you, we are monitoring the public domain of the CTIS to see what is posted and will update you when we see the first Serious Breach published.

WCG Avoca Quality Consortium (AQC) Members can access the following Serious Breach tools:

If your organization does not have a process to evaluate and report Serious Breaches, now might be a good time to put one in place. If you need help conducting a gap analysis to see which of your SOPs may need to be updated to align with CTR, WCG Avoca consultants can work with you to bring them up to date.
Contact Us


Brigid Flanagan, BA, RN, CCRC, MSB

Senior Consultant

WCG Avoca