Quality (QA QC QMS) Deficiencies

Dec 11, 2013

Pharmacovigilance, Drug Safety and Regulatory Affairs Author & Expert

In May of this year I did a posting on the Quality Management Systems (QMS) that are obligatory for DS/PV departments based on FDA’s Quality Manual and the EMA’s Good PV Guidelines Module 1.

Since then I have done many audits of drug safety and PV groups around the US and Europe and, sad to say, most companies remain deficient in Quality Systems.

Here’s a quick review of what’s needed, what’s actually in place and some actionable things you can do.




Both FDA and EMA (and other agencies) have made it clear that they expect quality to be built into drug safety (and all pharmaceutical systems).  FDA expects a QMS with a mission statement, procedural documents/SOPs, clear management responsibilities, training, audits, CAPAs (when needed) and metrics.


The EMA is somewhat more specific in its module 1 requiring:

  • Continuous monitoring of PV data, risk minimization.
  • Scientific evaluation of all information on risks particularly regarding ARs from off-label or occupational exposure
  • Examination & submission of non-serious ARs
  • Integrity, quality & completeness of data
  • Processes to avoid duplicate submissions.
  • Effective communication with public, HCPs & CAs on all safety matters
  • Updated product labeling as new information becomes known
  • Written SOPs & procedural documents
  • Good PV record management & data security/privacy
  • Organization charts, HR management within PV, job descriptions
  • QMS: organizational structure, responsibilities, procedures, processes, training, resources of and resource management, compliance management and record management.

And finally the EMA notes that certain functions are critical and will be inspected by them:


  • Continuous safety profile & benefit-risk evaluations
  • Establishing, assessing and implementing risk management systems and evaluating the effectiveness of risk minimization
  • Collection, processing, management, QC, follow-up for missing information, coding, classification, duplicate detection, evaluation and timely electronic transmission of individual case safety reports (ICSRs) from any source
  • Signal management
  • Meeting commitments and responding to requests from CAs;
  • Interaction between the PV and product quality defect (i.e. manufacturing) systems
  • Communication of PV concerns between MAHs & CAs especially regarding changes to the risk-benefit balance of products
  • Communicating information to patients and HCPs about changes to the risk-benefit balance
  • Keeping product information up-to-date
  • Implementation of variations (i.e. changes) to MAs for safety reasons according to the urgency required.
  • Submissions to EudraVigilance


The MHRA and other health agency inspections will indeed look at these areas.  See: https://www.mhra.gov.uk/Howweregulate/Medicines/Inspectionandstandards/GoodPharmacovigilancePractice/Theinspectionprocess/index.htm#4  and https://www.mhra.gov.uk/home/groups/is-insp/documents/websiteresources/con175416.pdf

In these documents the MHRA notes the QMS areas that are often deficient.  There are many other areas of deficiency outside of the QMS area in the DS/PV departments.  See the first URL above:


  • Procedural Documentation
    • None exist / insufficiently detailed to ensure consistency
    • Do not reflect practice
    • Training not done or even lack of awareness by staff of existence of procedure
  • Training
    • Inadequate or absent
    • Lack of refresher training
    • Restricted to PV department and done company wide
  • Quality Assurance Auditing
    • Lack of PV audits (conducted and future plans)
    • Extent of audits (affiliates, contractors)
    • Scope of audits – key functions (signal detection process, SPC updates)
  • Record Retention & Archiving


The second URL covers MHRA inspection findings from April 2011 to March 2012 (the latest data available).  81 inspections were performed and the critical findings relating to QMS include: poor or lacking procedural documentation, training, CAPA management and MAH oversight.  Major QMS findings include problems in quality assurance auditing SOPs, the QMS, product quality and MAH oversight.  Minor/other findings include: quality assurance auditing SOPs, training, archiving, the QMS, and product quality.

From my audits I’ve seen: problems in audit/inspection readiness, siloing, lack of management oversight, poor or absent metrics, poor or absent training, little quality review in real time during case processing, lack of audits of the PV system, vendors, partners and CROs who handle safety, CAPAs that are never completed, and SOPs that are out of date, non-existent or divorced from reality.  To be more specific:


  • Audit/inspection readiness: In many cases there is no SOP on how to handle an FDA, EMA or external inspection.  This was often visible during my inspections where there was no system in place to obtain the needed personnel and information during the audit.  The inability to respond to an expected EMA or unannounced FDA inspection can be disastrous for a company.  There needs to be a “well-oiled machine” in place ready to hit the ground running when the FDA or another agency walks in the door.
    • What to do: Be sure your company has an SOP on how to handle audits and inspections.  This should be seriously thought out with full buy-in from all stakeholders and all people who will participate in the audit from the company.  This is more complex than you may realize if you have not done this before.
    • Siloing: This seems to be a giant issue at big pharma companies.  Many of these companies now have globalized and distributed DS/PV with multiple groups handling different (and often narrow) aspects of PV, case processing, signaling etc.  The groups are far away geographically and rarely talk to each other or communicate.  It is even worse if CROs and other external vendors are used for case processing, signaling etc.  The PV case processing group in the US may not know what their counterparts in the company in Europe or Asia are doing.  They may or may not use the same SOPs.  This produces inconsistencies, different or even contradictory procedures, missed cases, late expedited reporting and even fights and email wars.  This is usually a sign of poor management oversight and control.  Similarly, there is siloing and disconnects amongst drug safety and its sister departments in the company such as regulatory, legal, IT, clinical research, signaling, epidemiology, medical information, call centers etc.
      • What to do: This is a tough one.  Some companies are so large, so spread out and globalized and tasks so distributed that it is hard to avoid siloing.  There are some things that can be done: common SOPs and procedures where feasible, frequent meetings (teleconferences) and phone meetings, internal audits and in the most severe cases “re-engineering” of how the drug safety function works.
      • Lack of Management Oversight: Some companies have tight control and clear hierarchies of responsibility.  It is clear where the “buck stops” and who owns drug safety and answers for safety issues.  Other companies have no chief medical or safety officer and simply have free-floating DS/PV groups doing their case processing and report writing but not really doing real “pharmacovigilance”.  No one owns or answers for safety.
        • What to do: Convince management that they really need to watch this function carefully, that they must pay attention to it, that the head(s) of drug safety is empowered, that “bad SAEs” are not the fault of drug safety.  Not necessarily an easy task.
        • Poor or Absent Metrics: Some companies have no idea how many SAEs/SUSARs are being processed, where they are in the processing system, when the cases are complete, whether medical reviews are being done, how follow up is progressing on each case, how many are on time or late to FDA, EMA and all other health agencies and business partners etc.  In other words, the system is not in control.  If you don’t measure late reports to FDA no one can yell at you for late reports!  However, in drug safety, what you don’t know can indeed hurt you when FDA comes knocking at the door.
          • What to do: Put in place metrics.  They can/should include:
          • Poor or Absent Training: Some companies do no training (“We don’t need to.  All our employees are highly experienced.  No rookies here.”); others do the minimum with such methodology as “read and understood” – that is, new hires and current employees are given an SOP to read and then sign a sheet saying they read it and understand it.  No testing, no formal training.  I’ve seen egregious cases where a new hire “read and understood” seventeen SOPs and detailed work instructions in 3 hours on the day of hire.  Obviously, one cannot learn a complex system in such a short length of time.  Bad training shows up as bad work.
            • What to do: Ensure that a training procedure is in place, that it is “realistic” and requires that training be done before a policy is put in place.  Ensure that “read and understood” is not the only way training is done, especially for mission critical functions (e.g. data entry into the safety database). Document all training & save a copy of powerpoint presentations or handouts.
            • Little Real Time Quality Review: It’s always easier to correct a problem on the spot than at the end of the process.  Fixing the plumbing in a new house should be done before the drywall goes up!  Similarly in drug safety, miscoding a case or a typo on a lab report or drug dosage can produce disaster down the road if it is not spotted and corrected immediately.
              • What to do: Be sure quality review is done at the appropriate steps of case processing.  Document it.
              • Lack of Audits of PV, Vendors, CROs etc: This is now obligatory and expected periodically which means more or less every one to three years depending upon the criticality of the function.  An external CRO doing a company’s safety data processing and storage should be examined before the contract is signed (due diligence audits), and then after the first cases are processed (e.g. at month 3 or 4) and then yearly or every two years if things are progressing well.  Real time quality review with metrics, KPIs, case reviews etc. should also be done.
                • What to do: Set up an audit schedule of the company’s DS/PV groups and functions.  Audit vendors and out-sourcers.  If the internal auditors do not know how to do a PV audit (and this is a particular skill set) use external experienced PV auditors.
                • CAPAs (Corrective Action, Preventive Action Plans): Some companies don’t have a formal CAPA system at all and they hope things just straighten out.  Others have a CAPA system but no one owns it or verifies that promises made are promises completed – particularly if the promise is to the FDA or EMA.  That means the same bad findings will occur in audit after audit.
                  • What to do: Don’t take CAPAs lightly.  If there is no system for CAPAs set one up, write procedural documents and be sure there is a mechanism to track all CAPAs to closure.
                  • SOPs: Some companies have no SOPs.  Hard to believe but that is the case.  Others have rudimentary, high level SOPs that state good intentions but are not very useful and don’t assign tasks and responsibilities to anyone.  Other companies have multiple levels and duplicative (sometimes contradictory) procedural documents including SOPs, Work Instructions, Cheat Sheets, Manuals, Guidelines, and more.  Some are uncontrolled documents; all procedural documents must be controlled and versioned.  Some SOPs have no relation to the reality of day to day functioning and are either out of date or just for show.
                    • What to do: If the current procedural documents are not up to snuff, fix them.  Make sure there is an “SOP on SOPs”.  There should be a formal assignment of responsibilities to an SOP group, usually at the corporate level, which then uses subject matter experts to write the details of the SOPs.  All SOPs should be “real” – that is, not the theory but how that function will really be done.  The government inspectors will verify that the SOPs are being followed.  If not, you’ll be cited.
      • Late & on time ICSRs, e.g., 7-, 15-day reports, EU submissions)
        • Late reports into Drug Safety, e.g., from study monitors
        • Late workflow steps within DS, e.g., triage within 24 hours, case closure by day 7, coding, medical review, due diligence requests
        • Late reports to HAs, business partners etc.
        • E2B reporting failures
      • Late & on time aggregate reports (e.g. PADERs, PSURs, DSURs)
      • Late & on time Medical Monitor trip reports
      • CAPA commitments done on time, done but late, not done
      • SOPs updated on time & training done as required.


Some or all of these lacks will be cited by the inspector or auditor and some will be critical if they y cause case processing, patient protection, PSURs, expedited reporting and other critical functions to fail or falter.  Health authorities are doing “risk based” inspections now and will often make the assumption that if one big area is out of control, most or all of the other areas in the company are out of control.

The bottom line is that government inspectors are now doing serious PV inspections and will catch companies that are not doing adequate (or better) drug safety.  Many (though not all) government inspectors are highly skilled in PV and have seen it all.  They have inspected the great companies and the disasters and, in most cases, cannot be fooled.  It truly is in the company’s interest to take drug safety seriously and to be sure that a quality system is in place to ensure that drug safety and PV function well.

Tags: , , , ,