PHARMACOVIGILANCE AUDITING
Introduction:
The audit in the sense a systematic and independent examination of activities to identify whether the evaluated activities were performed according to decided requirements.
Systematic- organized, planned, methodical
Independent- unbiased, no conflict of interest, objective
Examination-assessment, evaluation, investigation
Decided requirements- audit criteria, regulations, procedures
Pharmacovigilance (PV) system is defined as a system used by a company to fulfill its legal goals and responsibilities in order to drug safety. It is designed to observe the safety of authorized medical products and identify any change to their risk balance. Pharmacovigilance tasks have to be carried out both for marketed and unmarked products.[1]
Pharmacovigilance Audits: These are conducted to verify, by examination and evaluation of objective evidence, the appropriateness and effectiveness of the implementation and operation of a pharmacovigilance system, including its quality system for pharmacovigilance activities. In general, an audit is a systematic, disciplined, independent, and documented process for obtaining evidence and evaluating the evidence objectively to determine the extent to which the audit criteria are fulfilled, contributing to the improvement of risk management, control, and governance processes.
Safety is of utmost concern to manufacturers and governing bodies worldwide.
However, because the process can be complicated, European Union has issued several laws and guidelines over the past several years to address issues that occur as a result of safety monitoring.
Examples of such laws include those that govern pharmacovigilance audits. Given these increased regulations, it is important for pharmaceutical executives to be familiar with the regulations that pertain to pharmacovigilance audits, understand the objectives of these audits, and develop strategic planning for these audits
.
Laws Governing Pharmacovigilance Audits
Several laws govern pharmacovigilance audits. Nonspecific laws include Directive 2001/20/EC and 21 Code of Federal Regulations 312.32, which pertain to the collection of adverse event data. Laws specific to pharmacovigilance in the European Union include the following:
Registration (EU) 1235/2010
Directive 2012/84/EU
Commission Implementing Regulation (EU) 520/2012
Regulation (EU) No 1027/2012
Directive 2012/26/EU
Directive 2001/83/EC
Regulation (EC) No. 726/2004
The aim of these laws is to decrease the number of adverse drug reactions in the European Union by enabling the collection of more accurate data on adverse events, Allowing personnel to assess safety issues more accurately, enabling appropriate regulatory actions to increase the safety of pharmaceuticals, encourage patients to participate more actively in the process, to allow manufacturers to be more transparent and provide more effective communication.
The regulations serve to define the roles of marketing authorization holders and applicants, decrease duplication of services, free up resources through the simplification of safety reporting, and establish a clear legal framework for monitoring after authorization.
Most recently, the European Parliament issued modules on Good Pharmacovigilance Practices to define the process further. One of the most important is Module IV, which discusses Pharmacovigilance audits.
What Happens During a Pharmacovigilance Audit?
During a pharmacovigilance audit, personnel reviews the quality management system currently used to collect, code, and process data for independent case study reports, the qualifications of the staff performing pharmacovigilance, and the roles and responsibilities of the European Qualified Person for Pharmacovigilance. They also assess whether the database used to store information on adverse events is compliant with the current regulations.
The systems for ongoing safety surveillance and strategies for detecting and mitigating risk and the procedures for conducting Pharmacovigilance are assessed. The literature on safety is also reviewed, as are disaster recovery and business continuity plans.
Personnel will also assess the processes and procedures for generating and reviewing reports and for collecting and assessing adverse events.
They also review procedures in the corporation’s call center and other departments for handling safety complaints, adverse events, and urgent safety issues. Procedures and contractual agreements with third-party vendors regarding pharmacovigilance are also assessed.
Strategic Planning for a Pharmacovigilance Audit
The aim of an audit is to use objective evidence to evaluate the effectiveness of a pharmacovigilance program. To that effect, manufacturers should use a risk-based approach to develop an audit strategy. Risk planning should include all pharmacovigilance processes and tasks, the quality system currently in place to address activities related to pharmacovigilance, and intra- and interdepartmental interactions. Changes to staff and the structure of a company should also be taken into account. Strategic risk planning should also account for changes to the pharmacovigilance system since the previous audit, the important nature of the process being audited, any changes to the company that occurred since the previous audit, and the results of previous audits.
Strategic planning for a pharmacovigilance audit involves risk-based planning on the strategic, tactical, and operational levels. On a strategic level, developers should establish an audit strategy that is approved by upper management. During the tactical planning stage, an audit plan is developed. Developers of this plan should address factors such as quality measures and critical processes within a pharmacovigilance system, areas of high risk, and areas that were not examined adequately during a previous audit.
Planning at the operational level results in a plan for individual audit engagements, prioritization of individual audit tasks, use of risk-based sampling and approaches, and a report of the audit findings according to the level of risk.
The regulations for pharmacovigilance audits have increased over the past several years. However, by using a risk-based approach to develop an audit strategy, companies can conform to these regulations.
The regulations for pharmacovigilance audits have increased over the past several years. However, by using a risk-based approach to develop an audit strategy, companies can conform to these regulations. This will enable them to monitor issues with medications more effectively and provide safer products to their consumers. [2]
Types of Pharmacovigilance Audits
The type of audit is depending on the different stages of risk
Strategic-level audit planning
The audit strategy includes a list of audits that could reasonably be performed. The audit strategy is used to outline the areas highlighted for audit, the audit topics as well as the methods and assumptions (including e.g. risk assessment) on which the audit program is based. The audit strategy is a high-level statement of how the audit activities will be delivered over a period of time, longer than the annual program, usually for a period of 2-5 years.
The strategy audit should cover the governance, risk management, and internal controls of all parts of the pharmacovigilance system including
all pharmacovigilance processes and tasks;
the quality system for pharmacovigilance activities;
interactions and interfaces with other departments, as appropriate;
pharmacovigilance activities conducted by affiliated organizations or activities delegated to another organization (e.g. regional reporting centers, MAH affiliates, or third parties, such as contract organizations and other vendors).
Tactical-level audit planning
An audit program is a set of one or more audits planned for a specific timeframe, normally for a year. It should be prepared in line with the long-term audit strategy. The audit program should be approved by upper management with overall responsibility for operational and governance structure. The risk-based audit program should be based on an appropriate risk assessment and should focus on:
the quality system for pharmacovigilance activities;
critical pharmacovigilance processes;
key control systems relied on for pharmacovigilance activities;
areas identified as high risk, after controls have been put in place or mitigating action taken.
The risk-based audit program should also take into account historical areas with insufficient past audit coverage, and high-risk areas identified by and/or specific requests from management and/or persons responsible for pharmacovigilance activities.
Operational-level audit planning
The organization ensures that written procedures are in place regarding the planning and conduct of individual audits that will be delivered. Timeframes for all the steps required for the performance of an individual audit should be settled in the relevant audit-related procedures, and the organization should ensure that audits are conducted in accordance with the written procedures. Individual pharmacovigilance audits should be undertaken in line with the approved risk-based audit program. When planning individual audits, the auditor identifies and assesses the risks relevant to the area under review and employs the most appropriate risk-based sampling and testing methods, documenting the audit approach in an audit plan. [3]
Audit Process
The audit process usually starts with planning and preparation, then the audit is conducted, followed by reporting, and ending with follow-up and closure.
Audit Plan
Usually, the audit plan consists of the following steps:
Pre-audit meeting to get a general vision of the organization and scope of the process.
Development and agreement of an audit plan defining audit objectives, scope, and roles and responsibilities.
Thorough review of relevant organizational documents such as SOPs, PSMF, and Pharmacovigilance Agreements before the audit, with total safety and confidentiality. This will allow us to be aware of the organization system which can save time during the on-site audit and make it even more efficient.
Development and agreement of audit agenda defining topics and personnel involved along with proposed time.
The duration of the audit will depend on the number of topics included in the scope of the audit, based on their relevance to the organization audited. A standard pharmacovigilance audit can be conducted within 2 to 4 working days. The Pharmacovigilance audit could include the following topics:
Structure and Responsibilities of the Pharmacovigilance organization
Pharmacovigilance System Master File (PSMF) maintenance
Quality Management Systems
Pharmacovigilance processes, Standard operating procedures (SOPs), manuals, etc.
Literature Screening
Management and reporting of adverse reactions
Medical information
Signal Detection and Management
Risk Management System
Periodic Safety Reporting
Maintenance of approved Product Information
Training
Record management, Archiving, Validation of Computer Systems, Security, Backup and Disaster Recovery
Audit Conduct
Pharmacovigilance On-site Audit usually starts with an introductory meeting followed by the review of the remaining relevant documents and interviews with the relevant personnel. The next step would be the demonstration of the PV activity and a tour of the facility. Finally, the audit will end with a closing meeting where the initial audit results will be presented.
Audit Report
An initial audit report is generally issued within defined timelines and specifies which topics have been audited with a detailed description of the findings detected, together with an Executive Summary. A significance rating and proposed actions are generally included for each finding identified. The initial report may be reviewed by Auditees and or the Quality Assurance department prior to the issue of the final audit report which includes the development and implementation of Corrective and Preventative Action Plans (CAPAs).
Audit Follow up and Closure
The client’s Quality Assurance department monitors the development and implementation of CAPAs plans. The audit is closed when applicable CAPAs have been completed. [4]
Data Integrity and Complaince
Compliance: Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements [5]
Control(s): Any action taken by management and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved [5]
Evaluation (of audit activities): Professional auditing bodies promote compliance with standards, including in quality assurance of their own activities, and codes of conduct, which can be used to address adequate fulfillment of the organisation’s basic expectations of Internal Audit activity and its conformity to internationally accepted auditing standards.[5]
Auditors’ independence: The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional and organisational levels [5]
Internal Control: Internal control is an integral process that is effected by an entity’s management and personnel and is designed to address risk and provide reasonable assurance that pursuit of the entity’s mission, the following general objectives are being achieved: executing orderly, ethical, economical, efficient and effective operations, fulfilling accountability obligations, complying with applicable laws and regulations and safeguarding resources against loss, misuse and damage.
Auditors’ objectivity: An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others [5].
Confidentiality: Documents and information collected by the internal auditor should be treated with appropriate confidentiality and discretion, and also respect Directive 95/6/EC [Regulation (EC) No. 45/2001 for Community institutions and bodies] and national legislation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Transparency: The European Commission shall make public a report on the performance of pharmacovigilance tasks by the Agency on 2 January 2014 at the latest and subsequently every 3 years thereafter [REG Art 29] and on the performance of pharmacovigilance tasks by the competent authorities in Member States on 21 July 2015 at the latest and then every 3 years thereafter.
Guideline on good pharmacovigilance practices(GVP) Module Iv
Why to perform pharmacovigilance Audits:
To ensure compliance with company procedures local/global regulatory requirements
To ensure company regulatory obligations/commitments are met
evolving regulatory requirements
Increasing regulatory inspection-Internal detection of risk is essential
To identify process/quality improvements
CAPA(develop CAPA’s That are) collective and preventative action
Specific: Action resolves the risk and aim to prevent reoccurrence
Acheiveble: Action that is realistic and in accordance with regulations
Time driven: Identify realistic time frame for completion(based on risk)
Accountable: Action has clear accountability defined
CAPA development is one of the important aspects of successful audits
Internal pharmacovigiance audits are integral to assure company compliance are a key success factor for inspection readiness
Pharmacovigiance audit programmes should be designed to deliver value by:
Minimizing company risk
Identifying opportunities for improvement
Promote continous improvement culture with organizations where:
-Audits are a part of routine business
-Total quality management (TQM) Tools and principles are utilized
-Documentation is essential [6]
The guideline provides information, guidance and recommendations to facilitate compliance with regulatory requirements related to DI documentation and record management
ALCOA+. A commonly used acronym for “attributable, legible, contemporaneous, original and accurate” which puts additional emphasis on the attributes of being complete, consistent, enduring and available throughout the data life cycle for the defined retention period – implicit basic ALCOA principles.
Archiving: Archiving is the process of protecting records from the possibility of being further altered or deleted, and storing these records under the control of independent data management personnel throughout the required retention period. Archived records should include, for example, associated metadata and electronic signatures.
Audit trail: The audit trail is a form of metadata containing information associated with actions that relate to the creation, modification or deletion of GxP records. An audit trail provides for a secure recording of life cycle details such as creation, additions, deletions or alterations of information in a record, either paper or electronic, without obscuring or overwriting the original record. An audit trail facilitates the reconstruction of the history of such events relating to the record regardless of its medium, including the “who, what, when and why” of the action.
Certified true copy or true copy: A copy (irrespective of the type of media used) of the original record that has been verified (i.e. by a dated signature or by generation through a validated process) to have the same information, including data that describe the context, content, and structure, as the original.
Data: All original records and true copies of original records, including source data and metadata, and all subsequent transformations and reports of these data which are generated or recorded at the time of the GxP activity and which allow full and complete reconstruction and evaluation of the GxP activity.
Data should be accurately recorded by permanent means at the time of the activity. Data may be contained in paper records (such as worksheets and logbooks), electronic records and audit trails, photographs, microfilm or microfiche, audio or video files or any other media whereby information related to GxP activities is recorded
data governance: The sum total of arrangement which provide assurance of data quality. These arrangements ensure that data, irrespective of the process, format or technology in which it is generated, recorded, processed, retained, retrieved and used will ensure an attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring and available record throughout the data life cycle.
Data life cycle: All phases of the process by which data are created, recorded, processed, reviewed, analysed and reported, transferred, stored and retrieved and monitored, until retirement and disposal. There should be a planned approach to assessing, monitoring and managing the data and the risks to those data, in a manner commensurate with the potential impact on patient safety, product quality and/or the reliability of the decisions made throughout all phases of the data life cycle.
Electronic signatures. A signature in digital form (bio-metric or non-biometric) that represents the signatory. In legal terms, it is the equivalent of the handwritten signature of the signatory.
good practices (GxP). An acronym for the group of good practice guides governing the preclinical, clinical, manufacturing, testing, storage, distribution and post-market activities for regulated pharmaceuticals, biologicals and medical devices, such as GLP, GCP, GMP, good pharmacovigilance practices (GVP) and good distribution practices (GDP).
Metadata: Metadata are data about data that provide the contextual information required to understand those data. These include structural and descriptive metadata. Such data describe the structure, data elements, interrelationships and other characteristics of data. They also permit data to be attributable to an individual. Metadata necessary to evaluate the meaning of data should be securely linked to the data and subject to adequate review. For example, in weighing, the number 8 is meaningless without metadata, such as, the unit, milligram, gram, kilogram, and so on. Other examples of metadata include the time/date stamp of an activity, the operator identification (ID) of the person who performed an activity, the instrument ID used, processing parameters, sequence files, audit trails and other data required to understand data and reconstruct activities.
Raw data: The original record (data) which can be described as the first-capture of information, whether recorded on paper or electronically. Raw data is synonymous with source data).
Data should be attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring and available. This is generally referred to as ALCOA+
Data governance systems should include e.g.:
• training in the importance of DI principles;
• the creation of an appropriate working environment;
• active encouragement of collecting feedback and continuous improvement; and
• the reporting of errors, unauthorized changes, omissions and undesirable results.
Compliance with the principles and responsibilities should be verified during periodic site audits. This should include the review of procedures and data (including raw data and metadata, paper records, electronic data, audit trails and other related data) held by the contracted organization that are relevant to the contract giver’s product or services.
Where data and document retention are contracted to a third party, particular attention should be paid to understanding the transfer, storage, and restoration of data held under that agreement, as well as controls to ensure the integrity of data over its life cycle. This includes data in motion and data at rest. Tools should be identified to ensure data integrity, for example, encryption [7]
Conclusion
Pharmacovigilance Audits are conducted to verify, by examination and evaluation of objective evidence, the appropriateness and effectiveness of the implementation and operation of a pharmacovigilance system, including its quality system for pharmacovigilance activities.
References:
[1] Internet Definition from an extraction ICH and ISO definitions
[2] https://www.thefdagroup.com/blog/2014/11/pharmacovigilance-audits/
[3] Europe, Colombo Office, Sri Lanka. https://glceurope.com/blog/pharmahttps://glceurope.com/blog/pharmacovigilance-audits-types-of-pv-audits#covigilance-audits-types-of-pv-audits#
[4] https://www.haney-pharma.de/en/pharmacovigilance-audits
[5] IIA International Standards for the Professional Practice of Internal Auditing
[6] Author: Virigilio vinas,MD, MPH, PhD
[7] https://www.who.int/docs/default-source/medicines/norms-and-standards/current-projects/qas19-819-rev1-guideline-on-data-integrity.pdf
Student Name: Srujana Koorapati
Student ID: 128/072023
Qualification: M.Pharmacy
Mail ID: koorapatisrujana@gmail.com
Comments