IV.B.2. The risk-based approach to pharmacovigilance audits

A risk-based approach is one that uses techniques to determine the areas of risk, where risk is defined as the probability of an event occurring that will have an impact on the achievement of objectives, taking account of the severity of its outcome and/or likelihood of non-detection by other methods. The risk-based approach to audits focuses on the areas of highest risk to the organisation’s pharmacovigilance system, including its quality system for pharmacovigilance activities. In the context of pharmacovigilance, the risk to public health is of prime importance. Risk can be assessed at the following stages:

• strategic level audit planning resulting in an audit strategy (long term approach), which should be endorsed by upper management;
• tactical level audit planning resulting in an audit programme, setting audit objectives, and the extent and boundaries, often termed as scope, of the audits in that programme; and
• operational level audit planning resulting in an audit plan for individual audit engagements, prioritising audit tasks based on risk and utilising risk-based sampling and testing approaches, and reporting of audit findings in line with their relative risk level and audit recommendations in line with the suggested grading system (see IV.B.2.3.1.).

Risk assessment should be documented appropriately for the strategic, tactical and operational planning of pharmacovigilance audit activity in the organisation (see IV.B.2.1., IV.B.2.2. and IV.B.2.3. respectively).

IV.B.2.1.Strategic level audit planning

The audit strategy is a high level statement of how the audit activities will be delivered over a period of time, longer than the annual programme, usually for a period of 2-5 years. The audit strategy includes a list of audits that could reasonably be performed. The audit strategy is used to outline the areas highlighted for audit, the audit topics as well as the methods and assumptions (including e.g. risk assessment) on which the audit programme is based.

The audit strategy should cover the governance, risk management and internal controls of all parts of the pharmacovigilance system including:

• all pharmacovigilance processes and tasks;
• the quality system for pharmacovigilance activities;
• interactions and interfaces with other departments, as appropriate;
• pharmacovigilance activities conducted by affiliated organisations or activities delegated to another organisation (e.g. regional reporting centres, MAH affiliates or third parties, such as contract organisations and other vendors). This is a non-prioritised, non-exhaustive list of examples of risk factors that could be considered for the purposes of a risk assessment:
• changes to legislation and guidance;
• major re-organisation or other re-structuring of the pharmacovigilance system, mergers, acquisitions (specifically for marketing authorisation holders, this may lead to a significant increase in the number of products for which the system is used);
• change in key managerial function(s);
• risk to availability of adequately trained and experienced pharmacovigilance staff, e.g. due to significant turn-over of staff, deficiencies in training processes, re-organisation, increase in volumes of work; • significant changes to the system since the time of a previous audit, e.g. introduction of a new database(s) for pharmacovigilance activities or of a significant upgrade to the existing database(s), changes to processes and activities in order to address new or amended regulatory requirements;
• first medicinal product on the market (for a marketing authorisation holder);
• medicinal product(s) on the market with specific risk minimisation measures or other specific safety conditions such as requirements for additional monitoring;
• criticality of the process, e.g.:
  • for competent authorities: how critical is the area/process to proper functioning of the pharmacovigilance system and the overall objective of safeguarding public health;
  • for marketing authorisation holders: how critical is the area/process to proper functioning of the pharmacovigilance system. When deciding when to audit an affiliate or third party, the marketing authorisation holder should consider the nature and criticality of the pharmacovigilance activities that are being performed by an affiliate or third party on behalf of the marketing authorisation holder, in addition to considering the other factors included in this list;
• outcome of previous audits, e.g. has the area/process ever been audited (if not, then this may need to be prioritised depending on criticality); if the area/process has previously been audited, the audit findings are a factor to consider when deciding when to re-audit the area/process, including the implementation of agreed actions;
• identified procedural gaps relating to specific areas/processes;
• other information relating to compliance with legislation and guidance, for example:
  • for competent authorities: information from compliance metrics (as described in the Commission Implementing Regulation on the Performance of Pharmacovigilance Activities Provided for in Regulation (EC) No 726/2004 and Directive 2001/83/EC), from complaints, from external sources, e.g. audits/assessments of the competent authority conducted by external bodies;
  • for marketing authorisation holders: information from compliance metrics (as described in the Commission Implementing Regulation on the Performance of Pharmacovigilance Activities Provided for in Regulation (EC) No 726/2004 and Directive 2001/83/EC), from inspections (see GVP Module III), from complaints, from other external sources, e.g. audits;
• other organisational changes that could negatively impact on the area/process, e.g. if a change occurs to a support function (such as information technology support) this could negatively impact upon pharmacovigilance activities.

IV.B.2.2. Tactical level audit planning

An audit programme is a set of one or more audits planned for a specific timeframe, normally for a year. It should be prepared in line with the long term audit strategy. The audit programme should be approved by upper management with overall responsibility for operational and governance structure.

The risk-based audit programme should be based on an appropriate risk assessment and should focus on:

• the quality system for pharmacovigilance activities;
• critical pharmacovigilance processes (see e.g. GVP Module I and IR Art 11, 15);
• key control systems relied on for pharmacovigilance activities;
• areas identified as high risk, after controls have been put in place or mitigating action taken.

The risk-based audit programme should also take into account historical areas with insufficient past audit coverage, and high risk areas identified by and/or specific requests from management and/or persons responsible for pharmacovigilance activities.

The audit programme documentation should include a brief description of the plan for each audit to be delivered, including an outline of scope and objectives.

The rationale for the timing, periodicity and scope of the individual audits which form part of the audit programme should be based on the documented risk assessment. However, risk-based pharmacovigilance audit(s) should be performed at regular intervals, which are in line with legislative requirements.

Changes to the audit programme may happen and will require proper documentation.

IV.B.2.3. Operational level audit planning and reporting

IV.B.2.3.1. Planning and fieldwork

The organisation should ensure that written procedures are in place regarding the planning and conduct of individual audits that will be delivered. Timeframes for all the steps required for the performance of an individual audit should be settled in the relevant audit related procedures, and the organisation should ensure that audits are conducted in accordance with the written procedures, in line with this GVP Module.

Individual pharmacovigilance audits should be undertaken in line with the approved risk-based audit programme (see IV.B.2.2.). When planning individual audits, the auditor identifies and assesses the risks relevant to the area under review and employs the most appropriate risk-based sampling and testing methods, documenting the audit approach in an audit plan.

IV.B.2.3.2. Reporting

The findings of the auditors should be documented in an audit report and should be communicated to management in a timely manner. The audit process should include mechanisms for communicating the audit findings to the auditee and receiving feedback, and reporting the audit findings to management and relevant parties, including those responsible for pharmacovigilance systems, in accordance with legal requirements and guidance on pharmacovigilance audits. Audit findings should be reported in line with their relative risk level and should be graded in order to indicate their relative criticality to risks impacting the pharmacovigilance system, processes and parts of processes. The grading system should be defined in the description of the quality system for pharmacovigilance, and should take into consideration the thresholds noted below which would be used in further reporting under the legislation as set out in IV.C.2.:

• critical is a fundamental weakness in one or more pharmacovigilance processes or practices that adversely affects the whole pharmacovigilance system and/or the rights, safety or well-being of patients, or that poses a potential risk to public health and/or represents a serious violation of applicable regulatory requirements.
• major is a significant weakness in one or more pharmacovigilance processes or practices, or a fundamental weakness in part of one or more pharmacovigilance processes or practices that is detrimental to the whole process and/or could potentially adversely affect the rights, safety or well-being of patients and/or could potentially pose a risk to public health and/or represents a violation of applicable regulatory requirements which is however not considered serious.
• minor is a weakness in the part of one or more pharmacovigilance processes or practices that is not expected to adversely affect the whole pharmacovigilance system or process and/or the rights, safety or well-being of patients.

Issues that need to be urgently addressed should be communicated in an expedited manner to the auditee’s management and the upper management.

IV.B.2.4. Actions based on audit outcomes and follow-up of audits

Actions referenced in this section of the guideline, i.e., immediate action, prompt action, action within a reasonable timeframe, issues that need to be urgently addressed, or communicated in an expedited manner, are intended to convey timelines that are appropriate, relevant, and in line with the relative risk to the pharmacovigilance system. Corrective and preventive actions to address critical and major issues should be prioritised. The precise timeframe for action(s) related to a given critical finding, for example, may differ depending on nature of findings and the planned action(s).

The management of the organisation is responsible for ensuring that the organisation has a mechanism in place to adequately address the issues arising from pharmacovigilance audits. Actions should include root cause analysis and impact analysis of identified audit findings and preparation of a corrective and preventive action plan, where appropriate.

Upper management and those charged with governance, should ensure that effective action is implemented to address the audit findings. The implementation of agreed actions should be monitored in a systematic way, and the progress of implementation should be communicated on a periodic basis proportionate to the planned actions to upper management.

Evidence of completion of actions should be recorded in order to document that issues raised during the audit have been addressed.

Capacity for follow-up audits should be foreseen in the audit programme. They should be carried out as deemed necessary, in order to verify the completion of agreed actions. [IR Art 13(2), Art 17(2)].