The basic steps to risk-based audits of your pharmacovigilance service provider

As a marketing authorisation holder (MAH) in the EU, you are required to audit your pharmacovigilance system on a regular basis to ensure that it complies with relevant legislation and the EMA’s guidelines on good pharmacovigilance practices (GVP).

If you have outsourced your pharmacovigilance activities, you must audit your pharmacovigilance service provider to the same standards.

In this article, you will learn the basic steps to conducting risk-based pharmacovigilance audits at the strategic, the tactical and the operational levels.

Risk-based pharmacovigilance audits

The EMA’s GVP guidelines state that “The marketing authorisation holder in the EU is required to perform regular risk-based audit(s) of their pharmacovigilance system”.

A risk-based approach to pharmacovigilance audits ensures that the audits are based on a risk assessment and target the highest safety risks to the organisation’s pharmacovigilance system, including its quality system for pharmacovigilance activities.

A risk-based audit should cover governance, risk management and internal controls of all parts of the pharmacovigilance system, as well as pharmacovigilance activities delegated to another organisation such as PharmAdvice, and you should assess risks at both the strategic, the tactical and the operational level.

Your pharmacovigilance audit strategy

The audit strategy is a long-term plan for your auditing activities. The strategy should be based on a thorough risk assessment which identifies the areas of the highest risk to your pharmacovigilance system and your quality system for pharmacovigilance activities for the next two to five years.

Risk factors may include but are not limited to:

• significant changes to the pharmacovigilance system or to the safety database

• additional monitoring requirements for a medicinal product

• future access to properly trained and experienced staff

• outcomes of previous audits

• organisational changes

• changes to legislation.

Consider whether you have sufficient expertise and resources to conduct the risk assessment and audits within the organisation, or whether you should hire a trained, external auditor.

Your tactical audit programme

A tactical audit programme is a series of audits scheduled for a specific timeframe, usually for a year at a time. The programme should be in line with the audit strategy and address the risk factors identified there and should be approved by upper management. You must document any changes to the audit programme.

According to the EMA’s Guideline on good pharmacovigilance practices (GVP), the risk-based audit programme should focus on four key aspects:

• critical pharmacovigilance processes

• the quality system for pharmacovigilance activities

• key control systems relied on for pharmacovigilance activities

• areas identified as high risk despite controls or mitigating actions.

Remember to include the areas to be audited, the scope, frequency and objectives of the audits, and the timeframe for each audit, and take into account the time and resources needed for following up on audits.

The 3 stages of PV audits at the operational level

1. Plan the audit

Draw up a plan for each step of the audit. List the documents to be reviewed, and notify your pharmacovigilance service provider of the audit, requesting any necessary documentation.

2. Conduct the audit

Visit the pharmacovigilance provider to inspect facilities, observe work processes and interview key people. Review each step of adverse event management with written policies, procedures, work instructions, information flow and documentation.

Review the data available from the PV provider, such as reports of side effects, safety surveillance data, literature reviews and other relevant information. Assess how well the provider complies with relevant legislative requirements, industrial guidelines, internal standards and employee competencies. Compile an audit report that summarises the findings of the audit and identifies and grades any deficiencies (critical, major or minor) or potential risks.

3. Follow up on the audit

The auditee must provide a CAPA plan for your approval and address corrective and preventive actions as agreed. It might be necessary to actively follow up on the audit to ensure that any identified problems are addressed and resolved effectively.