48

Audits and Inspections

The U.S. Food and Drug (FDA), the European Medicines Agency (EMA), the United Kingdom’s Medicines and Healthcare Products Regulatory Agency (MHRA), Health Canada, and many other national health authorities are permitted or required by law to perform inspections of companies to ensure that they comply with all safety reporting regulations.

Although the terms often used interchangeably, audit and inspection are not quite the same. An inspection in the drug safety context generally refers to an inquiry, examination, and verification of processes, data, records, regulatory compliance and databases etc. by a government or official authority. An audit is the same but done by a nongovernmental entity, such as one’s own company, or a partner, vendor, supplier, client, and so forth. Note: In this chapter, unless otherwise specified, the terms will be used interchangeably.

Government inspections are largely done to protect the public health: to verify compliance to the regulations, to monitor the industry, as part of normal business (e.g., a routine every 2 to 3-year inspection), for cause to investigate a problem. Audits are done primarily for business reasons: compliance to regulations; due diligence of a new or ongoing vendor, partner, client, supplier; investigation of a problem; routine as part of a quality management system, and so forth.

Such audits and inspections may be periodic and routine (e.g., yearly) covering one or more products, general or specific (e.g., look at a newly installed IT system) or they may be nonperiodic for cause, looking at a specific problem or issue. “Targets” of the audit include the pharma company (headquarters, regional or national offices, clinical research, monitors, legal, the CEOs office, telephone operators, websites and webmasters, regulatory, legal, sales, marketing, ad agencies, data entry, IT department, training department, medical writing, aggregate reporting group (PSURs), licensing group, compliance/quality group, manufacturing, product quality partners, distributors, codevelopers, licensees and licensors, vendors, contractors, CROs, data storage facilities, archiving, investigator sites, and anyone in the safety “chain.” It may cover clinical research and unapproved drugs or marketed products or both.

Most agencies now are doing inspections on a risk basis. That is, they classify and inspect on a priority basis those companies perceived to be at higher risk of having safety issues. The agencies use either a formal risk rating system (MHRA; see below) or a more informal ranking (companies that just merged, have safety problems, launch a major new or toxic drug, etc.) to prioritize their inspections.

For inspections in the European Union, a very detailed document must be supplied some 6 to 8 weeks before the inspection. This document comes in several forms, depending on the country (called the Summary of PV Systems in the United Kingdom and the Detailed Description of PV Systems by the EMA). It must be prepared and submitted before an inspection (and in MA filings). It may run, with appendices, hundreds of pages, and is supplied on a CD or DVD. In addition, the United Kingdom also requests that firms supply a “Compliance Report,” which measures a firm’s “risk” and “control.” See Chapter 45 for full details on these reports.

Anything and anyone involved in AEs and safety are fair game. The audit will cover the processing and handling of safety information from all sources; SOPs; working documents, guidances, manuals; measurable and quantifiable data; follow-up; coding (MedDRA, drugs); literature review; medical information; queries and questions; expedited reporting (7-and 15-day reports); periodic reporting; risk management and epidemiology; safety agreements with partners, codevelopers, CROs, and so forth; handling of technical and product quality complaints; medication errors; registries; call centers; outsourcing and off-shoring; quality systems; IT; data privacy and security; data backup and archiving; training; off-hour and weekend/holiday coverage; crisis management; safety information communication; safety labeling; signaling; and problem escalation.

The auditors will likely ask for the following documents:

• General
  
  
  
  • Organizational charts to ascertain the personnel involved in handling AEs, complaints, and safety data
    
  • All procedural safety documents including standard operating procedures (SOPs), working documents, guidelines, manuals
    
  • All correspondence, meeting minutes, and notes relating to AE handling both internal and external (including health authorities)
    
  • A list of all products marketed in the country concerned along with their approved current labeling
    
  • A list of all collection sites, processing sites, and reporting units that handle cases
    
  • Copies of all contracts or safety agreements covering the receipt, handling, evaluation, and reporting of AEs to the health authorities
    
  • Job descriptions and training records
    
  • The quality system in place
    
  • How medical literature is searched (which databases) and handled
    
  • For European Union inspections, all information pertaining to the Qualified Person and his or her duties and function
  
  
• Specific Products
  
  
  
  • Drugs most likely to have unexpected SAEs
    
  • Drugs that could cause serious medical problems if they fail to produce their expected pharmacologic actions
    
  • Drugs most likely to have unexpected AEs are those meeting the following criteria:
    
    
    
    • Approved recently (e.g., last year or two)
      
    • New molecular entities
      
    • Known or suspected bioavailability or bioequivalence problems
    
    
  • REMS/RMPs, postmarketing safety commitments
  
  
• Specific Cases
  
  
  
  • A list of late expedited reports for the last year or two
    
  • Serious unlabeled AEs, particularly those involving death or hospitalization
    
  • Incomplete, serious, unexpected AEs or reports with unlabeled AEs and no outcome
    
  • Incomplete or nonvalid cases
    
  • “Non-cases”—that is, cases that do not have all four minimum criteria
    
  • Pregnancy listings

They will examine the cases for completeness and accuracy to ensure that all serious and unexpected spontaneous reports were submitted to the health agency within 15 calendar days:

• Was information on the form available at the time of submission?
  
• Was all relevant information included on the form?
  
• Was the initial receiving date supplied to the agency the same date as the initial receipt of information by the manufacturer?
  
• Was new follow-up information submitted to the agency?
  
• Where feasible, particularly when hospitalization, permanent disability, or death occurred, did the firm obtain important follow-up information to enable complete evaluation of the report?

• PSURs/PADERs
  
  
  
  • Copies of some or all of the reports for the drug(s) for the last year or two
    
  • Are all the appropriate reports and listings included?
    
  • Were the reports submitted in a timely manner?
    
  • Periodic reports that include unexpected SAEs that should have been submitted as 15-day reports
  
  
• IT Matters
  
  
  
  • Validation documents, change control SOP, disaster recovery procedures and results of testing, a system demonstration
  
  
• Clinical Trial Safety
  
  
  
  • Study protocol and amendments
    
  • IRB approvals, amendments, and yearly reapproval
    
  • Consent (including amendments)
    
  • Investigator brochure and updates
    
  • Investigator meeting presentations
    
  • Data safety monitoring board charter and meeting minutes
    
  • Investigator/IRB/ethics committee notifications for 15-day reports

The inspectors will request to meet with the appropriate people (both managers and staff) to go through the documents received. The company needs to make preparations (see below) to handle these requests. Questions may include the following:

• How does each type of AE come into the company and how are they handled?
  
• Are AEs being missed? Are all possible routes of entry into the company covered to ensure that cases are not missed?
  
• How are cases numbered and tracked?
  
• Case handling specifics: How are electronic (EDC, E2B), mail, and phone cases triaged and handled? How are AEs or potential AEs and complaints logged in?
  
• Are medical evaluations performed for each case and by whom and when?
  
• How and when is follow-up done?
  
• Who assesses seriousness and labeledness? Is the correct label used?
  
• Who determines whether a case is a 15-day alert report or is to be included in the PSURs/PADERs?
  
• Who sends the expedited reports and periodic reports to the health authorities? Where are these documents stored (paper or electronically) or archived?
  
• How is labeling handled and how does the company ensure that the labeling reflects the safety status of the drug?
  
• Are all the databases (commercial or custom-built) used for drug safety functions in compliance regarding validation, change control, data security and privacy, audit trails, and so forth?

In general, the government inspectors can see everything, though in general they do not look at commercial and money issues. The question of whether to supply internal or external audits of a company’s drug safety system often arises. The companies do not want to provide internal audit reports, arguing that they do not want to be “hanged by their own reports” and will avoid writing down anything problematic to avoid this. The FDA usually has not pressed for these reports, accepting a summary or the CAPA rather than the report itself. The European Union generally asks for and receives the reports.

Stay updated, free articles. Join our Telegram channel

Join