From our experience, companies are falling short of their pharmacovigilance obligations with regards to strategic, tactical and operational level PV audit planning. This can lead to areas of non-compliance, risks to patient safety and inspection findings. Outlined below are some of the key guidance and learnings from working with our clients over the years.
Marketing Authorisation Holders in the EU are required to perform regular risk-based audit(s) of their pharmacovigilance system [Directive Art. 104(2)], including audit(s) of its quality system to ensure that the quality system complies with the quality system requirements [DIR Art. 8,10, 11, 12, 13 (1)]. The dates and results of audits shall be documented [IR Art. 13(2)].
The risk-based approach to audits focuses on the areas of highest risk to the organisation’s PV system, including its quality system for PV activities. In the context of PV, the risk to public health is of prime importance. Risk can be assessed at strategic, tactical and operational level audit planning.
PV Audit Strategy – this is a high-level statement of how the audit activities will be delivered over a period of time, usually for a period of 2-5 years. It should cover the governance, risk management and internal controls of all parts of the PV system including processes, tasks, quality system, interactions and interfaces with other departments, including the PV activities conducted by affiliates, third parties and outsourced service providers. The PV Audit Strategy should be endorsed by upper management.
PV Tactical Audit Plan – this includes the planned PV audits for a specific timeframe, normally a year. It should be prepared in line with your PV Audit Strategy. The PV Tactical Audit Plan should be approved by upper management with overall responsibility for operational and governance structure.
Operational PV Audits – Written procedures should be in place regarding the planning and conduct of individual audits. Individual audits should be undertaken in line with the approved risk-based audit programme. PV audit activities should be independent.
MAHs should complete PV Risk Assessment(s) to identify, document and assess each process, system or party in their PV audit universe. The PV Risk Assessment should be granular in nature to account for each process, system, individual entity / third party in the MAH PV audit universe and their associated risks. It should include the factors used in the risk assessments and the MAHs methods of control and safeguards in place to mitigate against these risks, categorise the severity of the risks, and any actions required to reduce the risks and assure the on-going compliance, efficiency and effectiveness of the MAH PV system.
Some examples of risk factors to be considered include:
- Changes to legislation and guidance
- Major re-organisation of the PV system, mergers/acquisitions
- Change in key managerial functions
- Risk to availability of adequately trained and experienced PV staff
- Significant changes to the system since previous audits
- First medicinal product on the market (for an MAH)
- Medicinal product(s) on the market with specific risk minimisation measures or other specific safety conditions such as requirements for additional monitoring
- Criticality of the process
- Outcome of previous audits
- Identified procedural gaps relating to specific areas/processes
- Information from compliance metrics
- Other organisational changes (for e.g. to a support function such as IT)
Current controls and safeguards can include audits, risk assessment questionnaires, up to date safety data exchange agreements, routine reconciliations, training, oversight and compliance metrics.
The PV Risk Assessment should be reviewed on a periodic basis to ensure new PV systems, processes or parties are added/removed as required to ensure that there are no additional risks to the products and ultimately to the patient.
Types of PV Suppliers in the PV audit universe can include PV Service Providers, Distributors/Wholesalers, Licensed MAH partners, Contract Manufacturers, etc. PV Supplier Risk Assessment Questionnaires will contribute to and support the PV Risk Assessments, PV Audit Strategy and PV Tactical Audit Plan. However, a PV Supplier Risk Assessment Questionnaire in which evidence of fulfilment of pharmacovigilance requirements is not adequately obtained and evaluated, would not be regarded as an audit.
An MAH should have written procedures on pharmacovigilance auditing to describe their processes for risk-based PV audit planning. An MAH should also have written procedures on the management and oversight of PV Suppliers, outlining the process required for the selection and qualification of PV Suppliers and defining the process for maintaining routine oversight of all PV activities conducted on behalf of the MAH.
If you need assistance with your PV Risk Assessments, PV Audit Strategy, PV Tactical Audit Plan or performing Operational PV audits reach out to the experts at Acorn Regulatory, we are ready to listen, support and guide you through the process with ‘expertise you can trust’.
