hero image


  EMA Guideline on Good PV Practices: Module IV PV Audits

In December 2012 the EMA finalized and made effective module IV of its (so far) 15 guideline modules on pharmacovigilance (PV).  This one covers PV audits done by companies and third parties and is the “companion” piece to module III on PV inspections (by governments and competent authorities (CAs)).

The concept is very similar to FDA’s handling of postmarketing drug safety.  See, for example:

The EMA’s document is somewhat more detailed than FDA’s documents on this subject and is worth examining carefully.  Its requirements are very similar to FDAs and thus represent a good framework to use in creating a PV audit and quality management system in a company.


The EMA uses this module to cover guidance on planning and conducting audits of PV systems in companies and competent authorities as well as audits of accompanying quality management systems (QMS). The EMA uses standardized audit theory and techniques many of which may not be familiar to PV folks, though well known to compliance and quality auditors.  See The Institute of Internal Auditors at https://na.theiia.org/Pages/IIAHome.aspx.

The goal of a PV audit is to verify by examination and evaluation, using objective evidence, the appropriateness and effectiveness of the implementation and operation of the PV system including the quality system.


The Marketing Authorization Holder (MAH) must perform regular risk based audits of their PV system and QMS as noted in DIR Art 104(2) and other EU documents.  The critical and major findings must be put into the PV System Master File and the CAPAs put in place must be implemented.

The CAs in member states must perform regular independent audits of their own governmental PV tasks and report the results of their audits every two years at least.

See this module for the full legal and regulatory background and governing laws and regulations.


There is some jargon used in this document including:

Note that, although not mentioned in this document, an auditor may also audit against the companies SOPs and other procedural documents as “audit criteria”.  For example, if the regulations require expedited reports to be sent to FDA or a CA in 15 calendar days and the company’s SOPs requires this to be done in 12 calendar days, an auditor might cite the company for failing to meet their own (higher and tougher) standards than the law and regulations require.  The lesson here is that companies should be careful if they make their own standards more stringent than the law.  They will be held to these harder standards by some auditors.

Strategic Level Audit Planning

This is a high level statement of how audit activities will be done over a time period of two to five years and includes a list of audits that can reasonably be done & outlines areas highlighted for audit, methods & assumptions.  For example, in a large global pharma company it may not be possible or appropriate to audit smaller subsidiary countries’ PV systems if they only send in a handful of well-done cases.  This might be covered by a “paper” or “distance” audit or some other means of quality assessment and control.  The goal here is for the company to have a well thought out long-term quality and compliance plan on the books.

The plan should cover governance, risk management and internal controls of all PV processes and tasks, the QPPV (for the EU), interactions and interfaces with other departments and PV activities that are out-sourced or done by other departments or third parties.  This scope may be very large and would include business partners and groups that are not primarily drug safety functions but touch on them (e.g. monitoring of phase IV trials or post-marketing commitments).

The document describes factors for prioritizing audits.  These could also be called “audit triggers” and should alert the company to consider giving priority to audits if one or more of these triggers appear.  Note, of course, that the EMA and FDA will use this list to prioritize their inspections also:

Tactical Planning

This is a risk based audit program for a shorter time period (usually a year) based on the strategic planning & approved by upper management as described above.  This focuses on:

Documentation should include a brief description of the plan for each audit with scope and objectives plus the rationale for the timing, periodicity & scope.

Operational Planning & Reporting

This section covers actions the company must have in place for audits and quality management and includes:

Grading Systems

The FDA generally does not use a grading system in its PV audits but simply reports numbered findings usually but not always with the more urgent findings first.

The EU has a formal grading system as follows:

Obviously, the critical and major findings get highest priority and should be acted upon immediately or very rapidly.  Note that multiple or repeated major findings may be classified as critical and similarly multiple or repeated minor findings may be classified as major.

Actions after the Audit

The company should divide the findings and actions into those which require immediate action, prompt action, action within a reasonable timeframe and issues that need to be urgently addressed or communicated in an expedited manner.  This is the classification suggested in the guideline.

In addition the company must perform root cause and impact analyses of the findings and then prepare and prioritize corrective action preventive action (CAPA) plans.  Management must ensure that a mechanism is in place to address these issues and ensure CAPA implementation keeping in mind that a follow up audit will probably be necessary if there are significant issues. Everything should be well documented and reports and documentation should be retained for the appropriate required times.  In drug safety, this basically boils down to “forever” though one should check with the company attorneys, regulatory and archiving groups to be sure.

Quality Management Systems

The EMA notes that the PV auditors should be objective and independent of PV activities and be free of interference in determining the scope, performance and communication of the results.  The main reporting line should be to upper management.  Thus the auditors should not be a part of the PV function.

Obviously auditors should demonstrate and maintain proficiency in knowledge and skills in PV auditing.  The audit team should have a combination of education, work experience, training and skills to handle audits even if each individual in the team does not have all the skills.  Key areas of knowledge include audit principles, procedures, techniques, applicable laws and regulations, PV activities processes and systems, management systems and organizational systems.  In addition, evaluation of the quality of the audit work should also be periodically assessed – that is, someone should somehow audit the auditors!

External Auditors

As many smaller organizations do not have the PV audit expertise in-house, it is quite appropriate to go outside for people or companies to do the PV audits.  However, the ultimate responsibility for the PV system remains within the organization.  When out-sourcing is done the EMA recommends:

Summary and Comments

The MAH and CAs must perform regular internal PV audits on themselves and report the findings to the authorities regulating or supervising them in the EU.  This is less spelled out in the US by the FDA but audits and CAPAs are expected and FDA can ask to see them.

The methodology spelled out in this document is not surprising and many if not most companies already have this in place in one form or another.  If your company (or CA) does not have it fully in place, it will need to do so sooner rather than later.  The EMA and some member states as well as the FDA and other agencies are now actively inspecting using these risk-based requirements.

Related Articles