https://www.ema.europa.eu/docs/en_GB/document_library/Scientific_guideline/2012/12/WC500136233.pdf
EMA Guideline on Good PV Practices: Module IV PV Audits
In December 2012 the EMA finalized and made effective module IV of its (so far) 15 guideline modules on pharmacovigilance (PV). This one covers PV audits done by companies and third parties and is the “companion” piece to module III on PV inspections (by governments and competent authorities (CAs)).
The concept is very similar to FDA’s handling of postmarketing drug safety. See, for example:
- The FDA Compliance Program Guidance Manual which discusses risk-based PV investigations for its inspectors (now called “investigators”): CHAPTER 53 – Postmarketing Surveillance and Epidemiology which states “Each year, using a risk-based approach, the PVC Team selects firms to be inspected. The risk-based approach takes into account factors such as the date of the firm’s last PADE inspection, the firm’s past compliance history, identified deficiencies, acquisition of new drug approvals or abbreviated new drug approvals (A/NDAs), and product safety concerns.” https://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/UCM332013.pdf
The EMA’s document is somewhat more detailed than FDA’s documents on this subject and is worth examining carefully. Its requirements are very similar to FDAs and thus represent a good framework to use in creating a PV audit and quality management system in a company.
Background
The EMA uses this module to cover guidance on planning and conducting audits of PV systems in companies and competent authorities as well as audits of accompanying quality management systems (QMS). The EMA uses standardized audit theory and techniques many of which may not be familiar to PV folks, though well known to compliance and quality auditors. See The Institute of Internal Auditors at https://na.theiia.org/Pages/IIAHome.aspx.
The goal of a PV audit is to verify by examination and evaluation, using objective evidence, the appropriateness and effectiveness of the implementation and operation of the PV system including the quality system.
Requirements
The Marketing Authorization Holder (MAH) must perform regular risk based audits of their PV system and QMS as noted in DIR Art 104(2) and other EU documents. The critical and major findings must be put into the PV System Master File and the CAPAs put in place must be implemented.
The CAs in member states must perform regular independent audits of their own governmental PV tasks and report the results of their audits every two years at least.
See this module for the full legal and regulatory background and governing laws and regulations.
Definitions
There is some jargon used in this document including:
- Audit A systematic, disciplined, independent and documented process for obtaining evidence and evaluating this evidence objectively to determine the extent to which the audit criteria are fulfilled, contributing to the improvement of risk management, control and governance processes.
- Audit evidence consists of records, statements or other information, which are relevant to the audit criteria and verifiable.
- Audit criteria are, for each audit objective, the standards of performance and control against which the auditee and its activities will be assessed. Audit criteria should reflect the requirements for the pharmacovigilance system, including its quality system for pharmacovigilance activities, as found in the legislation and guidance.
Note that, although not mentioned in this document, an auditor may also audit against the companies SOPs and other procedural documents as “audit criteria”. For example, if the regulations require expedited reports to be sent to FDA or a CA in 15 calendar days and the company’s SOPs requires this to be done in 12 calendar days, an auditor might cite the company for failing to meet their own (higher and tougher) standards than the law and regulations require. The lesson here is that companies should be careful if they make their own standards more stringent than the law. They will be held to these harder standards by some auditors.
- Risk based PV audits use techniques to determine the areas of risk and then focus on the areas of highest risk to the organization’s PV system & QMS system.
- Strategic Level Audit Planning defines the long term approach for audits & endorsed by upper management.
- Tactical Level Planning creates an audit program, objectives and the scope of the audits.
- Operational Level Planning covers plans for individual audits, prioritizing the tasks, using risk-based sampling and, finally, reporting of findings and recommendations.
Strategic Level Audit Planning
This is a high level statement of how audit activities will be done over a time period of two to five years and includes a list of audits that can reasonably be done & outlines areas highlighted for audit, methods & assumptions. For example, in a large global pharma company it may not be possible or appropriate to audit smaller subsidiary countries’ PV systems if they only send in a handful of well-done cases. This might be covered by a “paper” or “distance” audit or some other means of quality assessment and control. The goal here is for the company to have a well thought out long-term quality and compliance plan on the books.
The plan should cover governance, risk management and internal controls of all PV processes and tasks, the QPPV (for the EU), interactions and interfaces with other departments and PV activities that are out-sourced or done by other departments or third parties. This scope may be very large and would include business partners and groups that are not primarily drug safety functions but touch on them (e.g. monitoring of phase IV trials or post-marketing commitments).
The document describes factors for prioritizing audits. These could also be called “audit triggers” and should alert the company to consider giving priority to audits if one or more of these triggers appear. Note, of course, that the EMA and FDA will use this list to prioritize their inspections also:
- Changes in legislation
- Major reorganization of the PV system, mergers, acquisitions (e.g. more & new drugs)
- Changes in key personnel
- “Risks” to availability of staff (that is, significant turnover of staff, deficient training, reorganization, increased work volume)
- Significant changes to the system since the previous audit (e.g. new database, changes to processes or regulations)
- First medicinal product on the market (a new MAH and for the US: a new NDA/BLA)
- Products with specific RMPs or special safety conditions (and for the US: REMS)
- Criticality that good PV be done to protect public health
- Outcome of previous audits
- Identified known gaps
- Problematic compliance metrics (e.g. late expedited reports)
Tactical Planning
This is a risk based audit program for a shorter time period (usually a year) based on the strategic planning & approved by upper management as described above. This focuses on:
- The quality system for PV activities
- Critical PV processes
- Key control systems relied on for PV activities
- Areas identified as high risk, after mitigating actions have been put in place
- Historical areas with insufficient past audit coverage and high risk areas
Documentation should include a brief description of the plan for each audit with scope and objectives plus the rationale for the timing, periodicity & scope.
Operational Planning & Reporting
This section covers actions the company must have in place for audits and quality management and includes:
- Planning & Fieldwork: Ensure that written SOPs are in place for audits with timeframes for each of the audit steps.
- Reporting: Findings must be documented in an audit report for management, auditees & other relevant parties. The report must be done in a timely manner with a mechanism for feedback from all parties.
Grading Systems
The FDA generally does not use a grading system in its PV audits but simply reports numbered findings usually but not always with the more urgent findings first.
The EU has a formal grading system as follows:
- Critical is a fundamental weakness in one or more pharmacovigilance processes or practices that adversely affects the whole pharmacovigilance system and/or the rights, safety or well- being of patients, or that poses a potential risk to public health and/or represents a serious violation of applicable regulatory requirements.
- Major is a significant weakness in one or more pharmacovigilance processes or practices, or a fundamental weakness in part of one or more pharmacovigilance processes or practices that is detrimental to the whole process and/or could potentially adversely affect the rights, safety or well-being of patients and/or could potentially pose a risk to public health and/or represents a violation of applicable regulatory requirements which is however not considered serious.
- Minor is a weakness in the part of one or more pharmacovigilance processes or practices that is not expected to adversely affect the whole pharmacovigilance system or process and/or the rights, safety or well-being of patients.
Obviously, the critical and major findings get highest priority and should be acted upon immediately or very rapidly. Note that multiple or repeated major findings may be classified as critical and similarly multiple or repeated minor findings may be classified as major.
Actions after the Audit
The company should divide the findings and actions into those which require immediate action, prompt action, action within a reasonable timeframe and issues that need to be urgently addressed or communicated in an expedited manner. This is the classification suggested in the guideline.
In addition the company must perform root cause and impact analyses of the findings and then prepare and prioritize corrective action preventive action (CAPA) plans. Management must ensure that a mechanism is in place to address these issues and ensure CAPA implementation keeping in mind that a follow up audit will probably be necessary if there are significant issues. Everything should be well documented and reports and documentation should be retained for the appropriate required times. In drug safety, this basically boils down to “forever” though one should check with the company attorneys, regulatory and archiving groups to be sure.
Quality Management Systems
The EMA notes that the PV auditors should be objective and independent of PV activities and be free of interference in determining the scope, performance and communication of the results. The main reporting line should be to upper management. Thus the auditors should not be a part of the PV function.
Obviously auditors should demonstrate and maintain proficiency in knowledge and skills in PV auditing. The audit team should have a combination of education, work experience, training and skills to handle audits even if each individual in the team does not have all the skills. Key areas of knowledge include audit principles, procedures, techniques, applicable laws and regulations, PV activities processes and systems, management systems and organizational systems. In addition, evaluation of the quality of the audit work should also be periodically assessed – that is, someone should somehow audit the auditors!
External Auditors
As many smaller organizations do not have the PV audit expertise in-house, it is quite appropriate to go outside for people or companies to do the PV audits. However, the ultimate responsibility for the PV system remains within the organization. When out-sourcing is done the EMA recommends:
- The requirements, preparation, risk assessment, strategy, program, details, scope, objectives and procedural requirements must be specified in writing to the outside organization.
- The company should obtain & document assurance of the independence & objectivity of the auditors.
- The outside auditor should follow the GVP modules.
Summary and Comments
The MAH and CAs must perform regular internal PV audits on themselves and report the findings to the authorities regulating or supervising them in the EU. This is less spelled out in the US by the FDA but audits and CAPAs are expected and FDA can ask to see them.
The methodology spelled out in this document is not surprising and many if not most companies already have this in place in one form or another. If your company (or CA) does not have it fully in place, it will need to do so sooner rather than later. The EMA and some member states as well as the FDA and other agencies are now actively inspecting using these risk-based requirements.