Audits and Inspections in Pharmacovigilance
The words' audits' or 'inspections' can catch anyone
off guard. Still, at the same time, they are a huge learning opportunity for us
to identify deficiencies/gaps in our processes and how we handle our routine
operations.
What are some basic readiness actions we can take from
the operations team (meaning the team that is actually handling
pharmacovigilance tasks) and excluding the Quality Assurance (QA)/PV responsible
team, who is actually the owner/leader on audits/inspections.
There is depth of information on types of audits,
inspections, how to prepare for them, corrective action, inspection report etc,
but I will focus only on actual, easy and simple topics that are expected from
any PV operations team member. Obviously, inspections responsible team and
higher leadership roles in PV will have to know more than described
herein.
Inspection/Audit (A/I) readiness:
Personnel: An audit or inspection will have a Lead auditor/lead
inspector at the Auditor/inspector end. If 2 or more regulatory authorities
(RA) will conduct an inspection, then one RA will lead. The inspector/auditor will
send a notification in advance about the inspection with an agenda. However,
some inspections may be a surprise without notification or an agenda.
Internally at the MAH end, a list of functions/departments
will be decided for roles and responsibilities based on the type of inspection
and agenda. A dedicated SME are identified for each process, and this is part
of inspection or audit readiness, which is described and documented throughout
the year and is ready, not started after the inspection notification.
Location: The mode of A/I can be on-site, meaning in
person, virtual or sometimes hybrid. For a local site specific A/I the
availability of SME might be constraints and this should be clearly
communicated and documented to auditors/ Inspectors (As/Is).
Agenda: A clear agenda—when provided in an As-Is
state—significantly helps in identifying and distributing roles and
responsibilities across various functions such as Regulatory, Clinical, QA, and
Pharmacovigilance. In the absence of a defined agenda, there should always be
an established framework at the MAH level, such as SOPs or a responsibility
matrix, to ensure that the appropriate function addresses specific questions
and requests efficiently.
Tools: Teams, SharePoint, Google Meet, Zoom and any
other tools for communication within MAH team members and externally with As/Is
need to be established. Avoid non-validated or generic channels like WhatsApp.
Limit the document sharing or discussion on non-validated channels as this may
infringe on data privacy and confidentiality. Printers should be dedicated for
any prints or xerox avoiding any chaos or data sharing issues. Particular
meeting rooms should be booked – a front room with As/Is and backroom for the
MAH members.
1) Document readiness:
All documents pertaining to the processing of adverse drug
reaction reports, like receipt of the reports by fax, mail, hard copies or soft
copies received via website, call centre, sites, consumers/patients etc should
be appropriately archived as per internal SOP (in line with HA requirements)
and be available to be reproduced if requested by an auditor or inspector.
If there is involvement of other vendors, such as CRO
(contract research organization) or any other company to whom part of or
all of PV is outsourced, then both MAH (marketing authorisation holder/pharma
company) a SDEA and additional documents as needed on data archival,
should be clearly mentioned. Adverse drug reaction reports (SAE forms/ email
form patient) etc are the most critical documents as they contain personal
information of the patient protected under various country-specific laws and
regulations, hence there storage and archival should be very clearly defined
and followed.
All the other documents e.g. not limited to investigator's
brochure, CCDS, protocol, SmPC, labelling documents, DSUR, PBRER, clinical
study reports etc should also be defined regarding their availability (common
share file location -access restricted) and who is responsible for ensuring the
most recent versions are available to the team for reference, and the update
process should be defined.
The SOP should clear enough to address who, what , how and
when at the company level so the processes are robust. More details on this can be
found on GVP Module I. All the team members processing the adverse events
and handling PV should have training compliance and a training matrix to
showcase the SOPs are followed.
3) PV professionals:
There has to be clear documentation on handling of PV
functions per requirements by local and National HA eligibility rules. The CV,
JD (Job description), training records, and training matrix should be clearly
documented and regularly updated per requirement. Whenever required, only reading and understood document may not be enough, but a quiz or exam to ensure
understanding should be implemented.
Many health authorities need medically qualified persons to
handle PV functions of casualty assessment and medical narrative of adverse
drug reaction reports. This has to be documented and the training and required
qualification to be updated.
4) PV practices:
There has to be clear documentation on each and every
process. For e.g. mail communication with reporters, investigators, patients, and
consumers to reproduce CRO/MAH attempts to have complete medical documentation
of all adverse drug reactions (ADR) reports. All calls, e-mails etc between any
PV professional at CRO or MAH also documented to make sure each ADR/PV
follow up attempts are tracked correctly.
The PV practices should also have assessment check
points, if the process is effective and is being followed or not. Regular
assessment of each SOP and process described in it should be planned and
carried out.
5) PV function readiness:
Any request or actions from health or regulatory authorities in the form of requests, questions, queries, or audit findings should be actioned and discussed across the entire PV team. Any action or root cause that is found to be due to another department should be communicated as such to them. The pharmacovigilance department should always be audit/Inspection ready, as it is a department that concerns the safety of patient and any finding or gap will impact all other departments and patients' safety.
6) PV Database:
Knowledge on technical details on database used by MAH/CRO
should be across PV team, and any data privacy measures, threats etc discussed
and documented properly to ensure there are measures to avoid patient data leak
etc. An appropriate team such as IT, Database vendors have to be involved to
address this.
Post Audit/Inspection: A preliminary report should be
generated and shared daily when an audit/inspection (A/I) extends beyond one
day. This enables relevant stakeholders to review observations and prepare
effectively for subsequent days. Following completion of the A/I, a draft final
report summarising the findings should be circulated to all relevant functions.
Responsibilities should then be assigned to the appropriate functions to
address the observations and initiate CAPA (Corrective and Preventive Actions).
Once the final A/I report is received and confirmed by the auditors/inspectors
(As-Is), it should be formally distributed to all stakeholders. Based on critical
impact, any actions to be taken should be immediately decided, and this
definition of critical and the mode of action with timelines should already be
described in the internal MAH sop.
Dr.Shraddha Bhange.
Connect with me Via comments below. (I do not respond to Facebook messages)
Support the cause of better rural education with me: ThinkSharp Foundation http://thinksharpfoundation.org/#home
References:
2. https://www.gov.uk/government/organisations/medicines-and-healthcare-products-regulatory-agency
5. https://www.gmp-compliance.org/gmp-news/pharmacovigilance-inspection-metrics