GVP – Module IV: Pharmacovigilance audits (full text)

In force from:
12.08.2015

IV.A. Introduction

The entry into force of the new legislation on pharmacovigilance in July 2012, established legal requirements for competent authorities in the Member States and the European Medicines agency (the Agency) and marketing authorisation holders to perform audits of their pharmacovigilance systems [DIR Art 101(2), Art 104(2), REG Art 28f], including risk based audits of their quality systems [IR Art 13 (1), Art 17 (1)].

For the purposes of this Module reference to pharmacovigilance audit(s) and pharmacovigilance audit activity(ies) are deemed to include pharmacovigilance system audits and audit(s) of the quality system for pharmacovigilance activities.

The minimum requirements of the pharmacovigilance systems and the quality system are set out in the Commission Implementing Regulation (EU) No 520/2012 (IR) on the performance of pharmacovigilance activities provided for in Regulation (EC) No 726/2004 and Directive 2001/83/EC. Risk-based audits of the pharmacovigilance system should cover all areas listed in Directive 2001/83/EC (DIR) and Regulation (EC) 726/2004 (REG). The specificities of the risk-based audits of the quality system [for pharmacovigilance activities] are as described in the Implementing Measures [IR Art 8,10, 11,12,13(1) for marketing authorisation holders, and IR Art 8,14,15,16,17(1) for the competent authorities in Member States and the Agency].

The overall description and objectives of pharmacovigilance systems and quality systems for pharmacovigilance activities are referred to in GVP Module I, while the specific pharmacovigilance processes are described in each respective Module of GVP.

In this Module, all applicable legal requirements are referenced in the way explained in the GVP Introductory Cover Note and are usually identifiable by the modal verb “shall”. Guidance for the implementation of legal requirements is provided using the modal verb “should”. This Module provides guidance on planning and conducting the legally required audits, and in respect of the operation of the EU regulatory network, the role, context and management of pharmacovigilance audit activity. This Module is intended to facilitate the performance of pharmacovigilance audits, especially to promote harmonisation, and encourage consistency and simplification of the audit process. The principles in this Module are aligned with internationally accepted auditing standards, issued by relevant international auditing standardisation organisations (1) and support a risk-based approach to pharmacovigilance audits.

Section IV.B. outlines the general structures and processes that should be followed to identify the most appropriate pharmacovigilance audit engagements and describes the steps which can be undertaken by marketing authorisation holders, competent authorities in Member States and the European Medicines Agency, to plan, conduct and report upon an individual pharmacovigilance audit engagements. This Section also provides an outline of the general quality system and record management practices for pharmacovigilance audit processes.

Section IV.C. provides an outline of the operation of the EU network in respect of pharmacovigilance audits.

IV.A.1. Terminology

Audit, Audit findings, Audit plan, Audit programme, Audit recommendations, Upper management: see in GVP Annex I.

Auditee: [entity] being audited (ISO 19011 (3.7) 2 ).

Compliance: Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements (IIA International Standards for the Professional Practice of Internal Auditing(2)).

Control(s): Any action taken by management and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organises, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved (IIA International Standards for the Professional Practice of Internal Auditing(2)).

Evaluation (of audit activities): Professional auditing bodies promote compliance with standards, including in quality assurance of their own activities, and codes of conduct, which can be used to address adequate fulfilment of the organisation’s basic expectations of Internal Audit activity and its conformity to internationally accepted auditing standards.

Finding(s): see Audit findings

Head of the organisation: see Upper management

Auditors’ independence: The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional and organisational levels (IIA International Standards for the Professional Practice of Internal Auditing(2)).

Internal Control: Internal control is an integral process that is effected by an entity’s management and personnel and is designed to address risk and provide reasonable assurance that in pursuit of the entity’s mission, the following general objectives are being achieved: executing orderly, ethical, economical, efficient and effective operations, fulfilling accountability obligations, complying with applicable laws and regulations and safeguarding resources against loss, misuse and damage (for further information refer to COSO standards).

International Auditing Standards: issued by International Auditing Standardisation Organisations.

International Auditing Standardisation Organisations: More details can be found at: regarding The Institute of Internal Auditors (IIA) Standards at https://www.theiia.org/guidance/standards-andguidance/ippf/standards/full-standards; the International Organisation for Standardisation (ISO) standard 19011 Guidelines for Quality and/or Environmental Management Systems Auditing at https://www.iso.org/iso/home.html; Information Systems Audit and Control Association (ISACA) Standards at https://www.isaca.org/Standards; The International Auditing and Assurance Standards Board (IAASB) Standards at https://www.ifac.org/auditing-assurance/clarity-center/clarified-standards; The International Organisation of Supreme Audit Institutions (INTOSAI) Standards at https://www.issai.org/composite-347.htm.

Auditors’ objectivity: An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others (IIA International Standards for the Professional Practice of Internal Auditing(2) ).

IV.B. Structures and processes

IV.B.1. Pharmacovigilance audit and its objective

Pharmacovigilance audit activities should verify, by examination and evaluation of objective evidence, the appropriateness and effectiveness of the implementation and operation of a pharmacovigilance system, including its quality system for pharmacovigilance activities.

In general, an audit is a systematic, disciplined, independent and documented process for obtaining evidence and evaluating the evidence objectively to determine the extent to which the audit criteria are fulfilled, contributing to the improvement of risk management, control and governance processes (3).

Audit evidence consists of records, statements or other information, which are relevant to the audit criteria and verifiable. Audit criteria are, for each audit objective, the standards of performance and control against which the auditee and its activities will be assessed. In the context of pharmacovigilance, audit criteria should reflect the requirements for the pharmacovigilance system, including its quality system for pharmacovigilance activities, as found in the legislation and guidance.

IV.B.2. The risk-based approach to pharmacovigilance audits

A risk-based approach is one that uses techniques to determine the areas of risk, where risk is defined as the probability of an event occurring that will have an impact on the achievement of objectives, taking account of the severity of its outcome and/or likelihood of non-detection by other methods. The risk-based approach to audits focuses on the areas of highest risk to the organisation’s pharmacovigilance system, including its quality system for pharmacovigilance activities. In the context of pharmacovigilance, the risk to public health is of prime importance. Risk can be assessed at the following stages:

  • strategic level audit planning resulting in an audit strategy (long term approach), which should be endorsed by upper management;
  • tactical level audit planning resulting in an audit programme, setting audit objectives, and the extent and boundaries, often termed as scope, of the audits in that programme; and
  • operational level audit planning resulting in an audit plan for individual audit engagements, prioritising audit tasks based on risk and utilising risk-based sampling and testing approaches, and reporting of audit findings in line with their relative risk level and audit recommendations in line with the suggested grading system (see IV.B.2.3.1.).

Risk assessment should be documented appropriately for the strategic, tactical and operational planning of pharmacovigilance audit activity in the organisation (see IV.B.2.1., IV.B.2.2. and IV.B.2.3. respectively).

IV.B.2.1.Strategic level audit planning

The audit strategy is a high level statement of how the audit activities will be delivered over a period of time, longer than the annual programme, usually for a period of 2-5 years. The audit strategy includes a list of audits that could reasonably be performed. The audit strategy is used to outline the areas highlighted for audit, the audit topics as well as the methods and assumptions (including e.g. risk assessment) on which the audit programme is based.

The audit strategy should cover the governance, risk management and internal controls of all parts of the pharmacovigilance system including:

  • all pharmacovigilance processes and tasks;
  • the quality system for pharmacovigilance activities;
  • interactions and interfaces with other departments, as appropriate;
  • pharmacovigilance activities conducted by affiliated organisations or activities delegated to another organisation (e.g. regional reporting centres, MAH affiliates or third parties, such as contract organisations and other vendors). This is a non-prioritised, non-exhaustive list of examples of risk factors that could be considered for the purposes of a risk assessment:
  • changes to legislation and guidance;
  • major re-organisation or other re-structuring of the pharmacovigilance system, mergers, acquisitions (specifically for marketing authorisation holders, this may lead to a significant increase in the number of products for which the system is used);
  • change in key managerial function(s);
  • risk to availability of adequately trained and experienced pharmacovigilance staff, e.g. due to significant turn-over of staff, deficiencies in training processes, re-organisation, increase in volumes of work; • significant changes to the system since the time of a previous audit, e.g. introduction of a new database(s) for pharmacovigilance activities or of a significant upgrade to the existing database(s), changes to processes and activities in order to address new or amended regulatory requirements;
  • first medicinal product on the market (for a marketing authorisation holder);
  • medicinal product(s) on the market with specific risk minimisation measures or other specific safety conditions such as requirements for additional monitoring;
  • criticality of the process, e.g.:
    • for competent authorities: how critical is the area/process to proper functioning of the pharmacovigilance system and the overall objective of safeguarding public health;
    • for marketing authorisation holders: how critical is the area/process to proper functioning of the pharmacovigilance system. When deciding when to audit an affiliate or third party, the marketing authorisation holder should consider the nature and criticality of the pharmacovigilance activities that are being performed by an affiliate or third party on behalf of the marketing authorisation holder, in addition to considering the other factors included in this list;
  • outcome of previous audits, e.g. has the area/process ever been audited (if not, then this may need to be prioritised depending on criticality); if the area/process has previously been audited, the audit findings are a factor to consider when deciding when to re-audit the area/process, including the implementation of agreed actions;
  • identified procedural gaps relating to specific areas/processes;
  • other information relating to compliance with legislation and guidance, for example:
  • other organisational changes that could negatively impact on the area/process, e.g. if a change occurs to a support function (such as information technology support) this could negatively impact upon pharmacovigilance activities.

IV.B.2.2. Tactical level audit planning

An audit programme is a set of one or more audits planned for a specific timeframe, normally for a year. It should be prepared in line with the long term audit strategy. The audit programme should be approved by upper management with overall responsibility for operational and governance structure.

The risk-based audit programme should be based on an appropriate risk assessment and should focus on:

  • the quality system for pharmacovigilance activities;
  • critical pharmacovigilance processes (see e.g. GVP Module I and IR Art 11, 15);
  • key control systems relied on for pharmacovigilance activities;
  • areas identified as high risk, after controls have been put in place or mitigating action taken.

The risk-based audit programme should also take into account historical areas with insufficient past audit coverage, and high risk areas identified by and/or specific requests from management and/or persons responsible for pharmacovigilance activities.

The audit programme documentation should include a brief description of the plan for each audit to be delivered, including an outline of scope and objectives.

The rationale for the timing, periodicity and scope of the individual audits which form part of the audit programme should be based on the documented risk assessment. However, risk-based pharmacovigilance audit(s) should be performed at regular intervals, which are in line with legislative requirements.

Changes to the audit programme may happen and will require proper documentation.

IV.B.2.3. Operational level audit planning and reporting

IV.B.2.3.1. Planning and fieldwork

The organisation should ensure that written procedures are in place regarding the planning and conduct of individual audits that will be delivered. Timeframes for all the steps required for the performance of an individual audit should be settled in the relevant audit related procedures, and the organisation should ensure that audits are conducted in accordance with the written procedures, in line with this GVP Module.

Individual pharmacovigilance audits should be undertaken in line with the approved risk-based audit programme (see IV.B.2.2.). When planning individual audits, the auditor identifies and assesses the risks relevant to the area under review and employs the most appropriate risk-based sampling and testing methods, documenting the audit approach in an audit plan.

IV.B.2.3.2. Reporting

The findings of the auditors should be documented in an audit report and should be communicated to management in a timely manner. The audit process should include mechanisms for communicating the audit findings to the auditee and receiving feedback, and reporting the audit findings to management and relevant parties, including those responsible for pharmacovigilance systems, in accordance with legal requirements and guidance on pharmacovigilance audits. Audit findings should be reported in line with their relative risk level and should be graded in order to indicate their relative criticality to risks impacting the pharmacovigilance system, processes and parts of processes. The grading system should be defined in the description of the quality system for pharmacovigilance, and should take into consideration the thresholds noted below which would be used in further reporting under the legislation as set out in IV.C.2.:

  • critical is a fundamental weakness in one or more pharmacovigilance processes or practices that adversely affects the whole pharmacovigilance system and/or the rights, safety or well-being of patients, or that poses a potential risk to public health and/or represents a serious violation of applicable regulatory requirements.
  • major is a significant weakness in one or more pharmacovigilance processes or practices, or a fundamental weakness in part of one or more pharmacovigilance processes or practices that is detrimental to the whole process and/or could potentially adversely affect the rights, safety or well-being of patients and/or could potentially pose a risk to public health and/or represents a violation of applicable regulatory requirements which is however not considered serious.
  • minor is a weakness in the part of one or more pharmacovigilance processes or practices that is not expected to adversely affect the whole pharmacovigilance system or process and/or the rights, safety or well-being of patients.

Issues that need to be urgently addressed should be communicated in an expedited manner to the auditee’s management and the upper management.

IV.B.2.4. Actions based on audit outcomes and follow-up of audits

Actions referenced in this section of the guideline, i.e., immediate action, prompt action, action within a reasonable timeframe, issues that need to be urgently addressed, or communicated in an expedited manner, are intended to convey timelines that are appropriate, relevant, and in line with the relative risk to the pharmacovigilance system. Corrective and preventive actions to address critical and major issues should be prioritised. The precise timeframe for action(s) related to a given critical finding, for example, may differ depending on nature of findings and the planned action(s).

The management of the organisation is responsible for ensuring that the organisation has a mechanism in place to adequately address the issues arising from pharmacovigilance audits. Actions should include root cause analysis and impact analysis of identified audit findings and preparation of a corrective and preventive action plan, where appropriate.

Upper management and those charged with governance, should ensure that effective action is implemented to address the audit findings. The implementation of agreed actions should be monitored in a systematic way, and the progress of implementation should be communicated on a periodic basis proportionate to the planned actions to upper management.

Evidence of completion of actions should be recorded in order to document that issues raised during the audit have been addressed.

Capacity for follow-up audits should be foreseen in the audit programme. They should be carried out as deemed necessary, in order to verify the completion of agreed actions. [IR Art 13(2), Art 17(2)].

IV.B.3. Quality system and record management practices

IV.B.3.1. Competence of auditors and quality management of audit activities

IV.B.3.1.1. Independence and objectivity of audit work and auditors

The organisation should assign the specific responsibilities for the pharmacovigilance audit activities. Pharmacovigilance audit activities should be independent. The organisation’s management should ensure this independence and objectivity in a structured manner and document this.

Auditors should be free from interference in determining the scope of auditing, performing pharmacovigilance audits and communicating audit results. The main reporting line should be to the upper management with overall responsibility for operational and governance structure that allows the auditor(s) to fulfil their responsibilities and to provide independent, objective audit opinion. Auditors can consult with technical experts, personnel involved in pharmacovigilance processes, and with the person responsible for pharmacovigilance; however auditors should maintain an unbiased attitude that allows them to perform audit work in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires auditors not to subordinate their judgement on audit matters to that of others.

IV.B.3.1.2. Qualifications, skills and experience of auditors and continuing professional development

Auditors should demonstrate and maintain proficiency in terms of the knowledge, skills and abilities required to effectively conduct and/or participate in pharmacovigilance audit activities. The proficiency of audit team members will have been gained through a combination of education, work experience and training and, as a team, should cover knowledge, skills and abilities in:

  • audit principles, procedures and techniques;
  • applicable laws, regulations and other requirements relevant to pharmacovigilance;
  • pharmacovigilance activities, processes and system(s);
  • management system(s);
  • organisational system(s).

IV.B.3.1.3. Evaluation of the quality of audit activities

Evaluation of audit work can be undertaken by means of ongoing and periodic assessment of all audit activities, auditee feedback and self-assessment of audit activities (e.g. quality assurance of audit activities, compliance to code of conduct, audit programme, and audit procedures).

IV.B.3.2. Audits undertaken by outsourced audit service providers

Ultimate responsibility for the operation and effectiveness of the pharmacovigilance system resides within the organisation (i.e. within the Agency, competent authority or marketing authorisation holder). Where the organisation decides to use an outsourced audit service provider to implement the pharmacovigilance audit requirements on the basis of this GVP Module and perform pharmacovigilance audits:

  • the requirements and preparation of the audit risk assessment, the audit strategy and audit programme and individual engagements should be specified to the outsourced service providers, by the organisation, in writing;
  • the scope, objectives and procedural requirements for the audit should be specified to the outsourced service provider, by the organisation, in writing;
  • the organisation should obtain and document assurance of the independence and objectivity of outsourced service providers;
  • the outsourced audit service provider should also follow the relevant parts of this GVP Module.

IV.B.3.3. Retention of audit reports

Retention of the audit report and evidence of completion of action needs to be in line with the requirements stipulated in GVP Module I.

IV.C. Pharmacovigilance audit policy framework and organisational structure

IV.C.1. Marketing authorisation holders in the EU

IV.C.1.1. Requirement to perform an audit

The marketing authorisation holder in the EU is required to perform regular risk-based audit(s) of their pharmacovigilance system [DIR Art 104(2)], including audit(s) of its quality system to ensure that the quality system complies with the quality system requirements [IR Art 8,10,11,12,13(1)]. The dates and results of audits and follow-up audits shall be documented [IR Art 13(2)].

See IV.C.2. for further details of the requirements for audit reporting by the marketing authorisation holder.

IV.C.1.1.1. The qualified person responsible for pharmacovigilance in the EU (QPPV)

The responsibilities of the QPPV in respect of audit are provided in GVP Module I. Furthermore, the QPPV should receive pharmacovigilance audit reports, and provide information to the auditors relevant to the risk assessment, including knowledge of status of corrective and preventive actions.

The QPPV should be notified of any audit findings relevant to the pharmacovigilance system in the EU, irrespective of where the audit was conducted.

IV.C.1.2. Competent authorities in Member States and the European Medicines Agency

IV.C.1.2.1. Requirement to perform an audit

The Agency shall perform regular independent audits of its pharmacovigilance tasks [REG Art 28f] and competent authorities in Member States shall perform a regular audit of their pharmacovigilance system [DIR Art 101(2)]. Included in their obligation to perform audits of their pharmacovigilance system/tasks, competent authorities in the Member States and the Agency shall perform risk-based audits of the quality system as well, at regular intervals according to a common methodology to ensure that the quality system complies with the requirements [IR Art 8,14,15,16,17(1)]. The dates and results of audits and follow-up audits shall be documented [IR Art 17(2)].

IV.C.1.2.2. Common methodology

In order to have a useful audit system, all audits at the competent authorities in the Member States and the European Medicines Agency should have a common ground in terms of methodology. This should ensure harmonised planning, implementation and reporting by every competent authority in Member States and at the Agency.

IV.C.1.2.3. The Pharmacovigilance Risk Assessment Committee (PRAC)

The mandate of the Pharmacovigilance Risk Assessment Committee (PRAC) shall cover all aspects of the risk management of the use of medicinal products for human use, having due regard to the design and evaluation of pharmacovigilance audits [REG Art 61a(6)].

IV.C.2. Requirements for audit reporting in the EU

IV.C.2.1. Reporting by the marketing authorisation holder

The marketing authorisation holder shall place a note concerning critical and major audit findings of any audit relating to the pharmacovigilance system in the pharmacovigilance system master file (PSMF) (see GVP Module II). Based on the audit findings, the marketing authorisation holder shall ensure that an appropriate plan detailing corrective and preventative action is prepared and implemented. Once the corrective and preventive actions have been fully implemented, the note may be removed [DIR Art 104(2), IR Art 13(2)]. Objective evidence is required in order that any note of audit findings can be removed from the pharmacovigilance system master file (see GVP Module II).

The marketing authorisation holders should ensure that a list of all scheduled and completed audits is kept in the annex to the pharmacovigilance system master file (IR Art 3(5)) and that they comply with reporting commitments in line with the legislation, GVP guidance and their internal reporting policies. The dates and results of audits and follow-up audits shall be documented [IR Art 13(2)].

IV.C.2.2. Reporting by competent authorities in Member States and the Agency

Competent authorities in Member States, and the Agency should ensure that they comply with reporting commitments in line with the legislation, GVP guidance and their internal reporting policies.

Competent authorities in Member States shall report the results [of their pharmacovigilance system audits] to the Commission on 21 September 2013 at the latest and then every 2 years thereafter [DIR Art 101(2)].

The Agency shall report the results [of its pharmacovigilance system audits] to its Management Board on a 2-yearly basis [REG Art 28f].

The reports to the European Commission will follow an agreed format.

IV.C.3. Confidentiality

Documents and information collected by the internal auditor should be treated with appropriate confidentiality and discretion, and also respect Directive 95/46/EC [Regulation (EC) No. 45/2001 for Community institutions and bodies] and national legislation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

IV.C.4. Transparency

The European Commission shall make public a report on the performance of pharmacovigilance tasks by the Agency on 2 January 2014 at the latest and subsequently every 3 years thereafter [REG Art 29] and on the performance of pharmacovigilance tasks by the competent authorities in Member States on 21 July 2015 at the latest and then every 3 years thereafter [DIR Art 108(b)].