Preparing for a Safety Inspection

This article will be published in the September 2011 issue of the Drug Information Journal. Copyright © 2011, Drug Information Association.


Large and small pharmaceutical companies alike face a growing and complex set of international regulations designed to protect patient safety and ensure Good Pharmacovigilance Practices. Inspectors from FDA and European regulatory authorities are increasing their efforts to verify that companies comply with these regulations. The penalties for non-compliance can be severe, including revoking a product’s marketing authorization. In my experience, European safety inspections (particularly those conducted by the MHRA) are more thorough than FDA inspections, holding companies to a higher standard of pharmacovigilance. While FDA inspections are very detail-oriented, European inspections tend to look for the big picture, and want to find that companies are taking an integrated, global approach. It is also the case that while FDA inspectors may cover many areas of compliance, European safety inspectors tend to be specialists in this field.

To prepare for an inspection, companies must perform a thorough drug safety and pharmacovigilance audit. This will assess the company’s compliance with applicable worldwide laws, regulations and guidance. Indeed, regulatory inspectors will look for evidence that such an audit has taken place. I recommend that all companies arrange to have an independent audit of their entire safety operations, in order to prepare for a regulatory inspection.

This article is designed to give companies operating in the US and EU the information and insight needed to ensure compliance with global drug safety and pharmacovigilance regulations. It addresses the most recent drug safety regulations from both FDA and EMA.

Regulatory Background

Here is a matrix of the major global safety regulations:

Clinical Development
Post Marketing
(Clinical Safety)
ICH E2D (Expedited Reporting)
European Union
EU CTDDirective 2001/20/EC
Volume 10
Volume 9A
United States
21 CFR 312.32
21 CFR 314.80

US Regulations

The FDA regulation on IND safety reporting is described in 21 CFR 312.32. FDA recently issued a new draft guidance: “Safety Reporting Requirements for INDs and BA/BE Studies” in September 2010. The proposed implementation date is September 29, 2011. FDA requests sponsors to evaluate clinical safety data and only submit to FDA those reports that the sponsor deems of interest. The assessment of causality has been changed from ‘a causal relationship cannot be excluded’ to ‘there is a reasonable possibility that the drug caused the event.' This new regulation differs from the prevailing ICH guideline on safety reporting of investigational products, which recommends that companies report SAEs where the assessment of a causal relationship to the drug cannot be ruled out. Hence companies will need to apply different standards to IND safety reporting in the US to the rest of the world.

These are the current post-marketing FDA regulations:

  • 21 CFR 310.305 describes the requirements for safety reporting of AEs on marketed drugs without NDAs
  • 21 CFR 314.80 describes the requirements for post-marketing reporting of AEs from marketed drugs with NDAs
  • 21 CFR 600.80 describes the requirements for post-marketing reporting of biological AEs

EU Regulations

The situation in Europe is very different to the US. The European Union (EU) comprises 27 sovereign Member States (MS). The EU excludes some well-known countries such as Switzerland and Norway, and includes other parts of the world such as French Guyana in South America. These and other countries not in the EU may also follow EU laws.

An important component of European pharmacovigilance is EudraVigilance. This is a central computer database created and maintained by the EMA containing adverse events for products licensed in the EU. Electronic reporting to EudraVigilance is mandatory.

Drug safety and pharmacovigilance activities in the EU are regulated as follows:

  • The Clinical Trial Directive (CTD) governs the conduct of clinical trials on medicinal products for human use in the EU.
  • The CTD was amended by Volume 101 in 2006.
  • Volume 9A is the prevailing EU guidance on post-marketing safety requirements.
  • On December 31, 2010 the European Parliament approved new pharmacovigilance legislation which will come into effect in July 2012.

EU regulations are more complex than US regulations. They are more detailed, more comprehensive, and because of the local variations within European countries which are constantly changing, they are more difficult to understand and follow. An essential requirement for companies marketing their products in Europe is the Qualified Person for Pharmacovigilance. The requirements for this key role are described in detail in Volume 9A, and must be in place.

European Signaling Requirements

In Europe there are detailed guidelines2 clarifying the requirement for companies to conduct regular signal detection of their safety data. In the US there is guidance3 on this topic but no regulation. Volume 9A, section 8.1 describes the MAH’s requirements for signal detection. The MHRA further stipulates4 that "All MAHs are expected to have in place systems and procedures for systematic signal detection that are adequately documented in formalized procedures." MHRA requires that:

  • Signaling analyses are performed more frequently than PSUR review
  • The method used should be appropriate for the MAH's dataset
  • The use of complex statistical tools may not be appropriate for MAHs with a small dataset
  • MAHs should have systems in place to assure the quality of their signal detection processes
  • The MAH should take timely and appropriate actions and decisions based on the outputs from cumulative data review

It is interesting to note that the MHRA draws a distinction between its expectations for signaling small companies and its expectations for signaling large companies. While they require companies to have a system in place for signaling, they do not expect that companies with a relatively small safety database (a few hundred or a few thousand cases) would need to use a signaling system that includes complex data mining algorithms.

FDA Requirements for Signaling and Risk Management

FDA issued three guidance documents on Risk Management in March 2005:

  • Premarketing Risk Assessment
  • Risk Management Programs
    • Risk Communication
    • Risk Intervention
    • Risk Management Evaluation
  • Good Pharmacovigilance Practices & Pharmacoepidemiology

The recommendations contained in the second of these guidances were incorporated into the FDA Amendment Act (FDAAA), which was signed into law in September 2007. This act requires companies to prepare and submit Risk Evaluation and Mitigation Strategies (REMS) along with their New Drug Application, where it is necessary to ensure that the drug’s benefits outweigh its risks. The third guidance on Good Pharmacovigilance Practices & Pharmacoepidemiology contains some excellent suggestions on how to perform signal detection and data mining, but these concepts have not been issued by FDA as a regulation to date. This third guidance lists three recommended algorithms to use for data mining (MGPS, PRR and BCPNN) and gives detailed instructions on how to perform case series analyses.

The Pharmacovigilance Audit

A pharmacovigilance audit is an examination and verification of processes, data and documentation relating to drug safety by a non-governmental agency (such as a business partner, contractor, internal QA group, etc.) These are conducted so as to prepare for an inspection by a government body (FDA, MHRA, EMA etc.)

Entities that can be audited include:

  • Company's HQ and regional offices
  • Data entry and call centers
  • Investigator sites
  • Partners, distributors, licensees and licensors
  • Vendors, contractors and suppliers
  • Contract research organizations
  • Contract safety organizations

In order to prepare for a pharmacovigilance inspection, companies should conduct an audit in order to obtain a diagnostic overview of the company’s pharmacovigilance activities. This will allow a rapid understanding of the current position versus best practices and applicable drug safety regulations. As a result, gaps and risks will be identified, and priorities established for moving forward to ensure company compliance.

The pharmacovigilance audit should include a review of:

  • Pharmacovigilance strategy
  • Results of FDA or other third-party assessments
  • Structure of the ompany's pharmacovigilance organization
  • Skills and resource levels
  • Interfaces, linkages and communication
  • Pharmacovigilance processes and SOPs
  • Tools utilized in assessing, analyzing and reporting safety data
  • Safety surveillance and signaling activities
  • Quality assurance and quality control processes
  • Performance monitoring and metrics

Specific audit items for each of the elements of the following process model are described below:

Audit Items - Collect Data:

  • Processing of safety information
    • Mechanisms to process adverse events received by telephone, email, letter, company websites, and partners should be clearly defined.
    • There is a general consensus that adverse events reported on company-sponsored websites should be processed but the question of how to deal with safety reports via social media outlets such as Facebook, Twitter and other forums has yet to be resolved (i.e, there is no clear regulatory guidance in place yet for social media forums).
  • Sources of data
    • The company should be able to detect adverse events contained in product complaints and medical information requests.
    • There should be a process in place to perform a weekly review of global literature. In Europe local language publications should be reviewed also.
  • Safety data exchange agreements
    • Safety data exchange agreements that govern the transfer of information from subsidiaries, partners, distributors, contractors, licensees, licensors etc. should be in place regardless of whether the safety data is being transferred to or from the HQ safety department.
  • Outsourcing to CRO/CSO
    • The agreement with a contract research organization or contract safety organization will be reviewed, together with the mechanism for oversight of the contractor’s operations and ways to ensure quality.
  • Follow-up data collection
    • The number and type of follow-up attempts made is important, as is the skill level of the person calling.
  • Clear definition of start date
    • This is essential so as to determine correctly 15-day reporting deadlines. If a case is received by an agent or partner of the company then the start date recorded should be the date that the agent or partner became aware of the event.

Audit Items - Assessment

  • Who is assessing cases for serious/expected/causally related events? What are their qualifications?
  • Are all cases medically assessed? Are non-serious cases reviewed medically to ensure no serious events may have been missed?
  • Who is responsible for ensuring the consistency of coding key data items (using MedDRA and WHO Drug)? What is the skill level of the coders? Are coding guidelines in place?

Audit Items - Reporting

  • Have all boxes been filled in correctly on the MedWatch form?
  • Has the company met all its 7- and 15-day reporting deadlines?
  • Are metrics in place and regularly reviewed to ensure that reporting deadlines are met?
  • As part of an audit, conduct a medical review for consistency of the following:
    • source documents
    • database records
    • final MedWatch/CIOMS form

Audit Items - Analysis

  • Ensure that signaling and risk assessment activities are conducted, including:
    • When is this done?
    • How is it done?
    • What is done with the results?
  • Check the process for escalation of safety issues, including:
    • Committees, responsibilities, actions taken
    • Communication to regulatory authorities, IRBs, etc.
  • Are crisis management plans in place?

Additional Audit Items

    • Review previous audit/inspection reports to ensure that follow-up commitments from previous inspections have either been met, or at the very least, are being tracked in a Corrective and Preventive Actions (CAPA) system.
    • Review prior audit reports from subcontractors and partners.
  • SOPs and Work Instructions
    • Ensure these meet the requirements for content, quality and completeness. A list of required SOPs is specified in Volume 9A.
    • Ensure that SOPs have been deployed throughout the safety organization, that people have been trained to the SOPs and that the SOPs are consistently followed.
  • Personnel files
    • It is important that inspectors should have easy and quick access to comprehensive personnel files for each staff member. The files should include a job description, a Curriculum Vitae and a well-maintained (complete) set of chronological training records.
  • Metrics
    • Review the scope, frequency and monitoring of safety department metrics.
  • Quality systems
    • Processes and SOPs should be in place that govern both the quality assurance (QA) and the quality control (QC) of the safety department’s operations. QA should be independent but QC may be conducted on a peer-to-peer basis within the department.
  • Vendors
    • The safety database vendor should also be audited and proof of the audit should be available to inspectors.
    • It is important that all databasess maintain an audit trail.
    • Signaling software should also be reviewed.
    • Off-site storage and business continuity suppliers are also subject to audit(s).
  • Validation
    • Proof of compliance with 21 CFR Part 11 should be available for all computer systems.
  • Business continuity plans should be available.

Having conducted a comprehensive audit as described above, the company can establish the Pharmacovigilance Risk Profile, showing which gaps to close:

The green line shows perfect compliance with regulations and adherence to best practices. If this is achieved then the company is probably spending too much money on drug safety! The red line shows the company’s actual score and points to where companies need to concentrate on remediation efforts.

Inspection Findings

The following is a list of common inspection findings in the EU and US:

  • In Europe, watch out for the Qualified Person for Pharmacovigilance (QP) role. According to MHRA, most inspection findings relate to the QP. These include:
    • No evidence that the QP was in place prior to the inspection
    • QP is not “permanently and continuously” available in the EEA
    • QP role has been outsourced, but the contract is deficient
    • QP has no access to a medically qualified safety expert, if not medically qualified himself/herself
    • QP does not have adequate experience in all aspects of PhV
    • QP’s contact details were not communicated to the authorities
    • QP has inadequate oversight of the PhV system, especially quality and timeliness of expedited reporting and PSURs
    • QP does not ensure that information regarding suspected adverse reactions is collected and collated to be accessible in at least one point in the European Community
  • People have inadequate qualifications, experience, expertise, knowledge, and training
  • Key processes are not supported by procedural documents
  • Significant non-compliance with 15-day reporting timelines for expedited reports
  • Failure to submit all appropriate reports to competent authorities
  • MAH unable to submit reports electronically to Eudravigilance (and ultimately, all competent authorities)
  • Failure to produce PSURs that are ICH E2C compliant, complete and accurate
  • Failure to prepare and submit PSURs at the correct time
  • No formal procedures for signal detection/trend analysis
  • No formal, periodic review of information to identify new safety issues (except at time of PSUR production)
  • Documentation relating to performance of signal detection/trend analysis not retained
  • Failure to communicate new safety issues in a prompt manner to competent authorities

Penalties for Non-compliance

Commercial penalties from market withdrawal (due to safety reasons) are highly damaging, including loss of revenue, drop in shareholder value, the cost and penalties of litigation and the loss of goodwill by both the public and regulators. Some examples of the cost of failure:

  • Wyeth’s Fen-Phen withdrawal resulted in class action settlements of $5 billion and a litigation reserve of $17 billion.
  • Bayer agreed to pay $1.06 billion to settle 2,771 personal-injury lawsuits related to its former cholesterol-lowering drug Baycol.
  • The withdrawal of Vioxx resulted in:
    • A reduction in Merck’s market capitalization of $27 billion overnight
    • A loss of $2.5 billion in annual sales
    • An $50 billion initial estimate of legal liabilities

Regulators can impose penalties following an inspection. In the US the possible sanctions are as follows:

  • FDA 483: A report of deficiencies following an FDA inspection
  • Establishment Inspection Report (EIR)
  • Warning Letter
  • Seizure of product
  • Consent decree (for example Schering Plough was fined $500 million for manufacturing violations)
  • Criminal prosecution

FDA can also impose civil monetary penalties for violations of the REMS provisions in FDAAA. Penalties may not exceed $250,000 per violation, or $1 million for all violations adjudicated in a single proceeding. If a violation continues after the sponsor receives written notice, the penalty is $250,000 for the first 30-day period (or any portion thereof) that the violation continues, not to exceed $1 million for any 30-day period and not to exceed $10 million for all violations adjudicated in a single proceeding.

In Europe, financial penalties to MAHs were introduced in 2007 in respect of infringements associated with non-compliance for centrally authorized products of up to 5 percent of total EU annual turnover per annum.

How to Address Audit and Inspection Findings?

The first step is to prepare for a regulatory inspection before it occurs! If your company markets products in Europe, then it is worthwhile to prepare a Summary of Pharmacovigilance Systems5 document, even if you have no MHRA inspection planned. In the US, you should review the FDA Compliance Program Guidance Manual.6 You should also seek an independent, unbiased evaluation of your drug safety organization---just as a sanity check!

Ideally, it is important to keep track of all audit- and inspection-related findings in a Corrective and Preventive Actions (CAPA) system. All findings should be monitored by the group responsible for quality and action should be taken to fix the problems once they are identified. If prior findings have not been corrected it's not a good thing (obviously) but in the event of an inspection, the findings should, at the very least, be in the process of being tracked within a CAPA system. Tracking findings will mitigate—to some extent—the failure to resolve the issue.

Systematic failures in a PV system cannot be fixed overnight. Companies must be prepared to invest time and effort to get things on track. This is a worthwhile investment however. Some regulators have an institutional memory and once a company has committed a significant transgression it will be regarded (sometimes forever) with suspicion.


In order to ensure compliance, companies should establish and conform to industry best practices; ensure awareness of all applicable regulatory standards; perform ongoing self-monitoring and self-correction of pharmacovigilance; provide corporate support to ensure resource allocation; conduct audits; and ensure complete and timely response to any findings of non-compliance either by regulatory authorities or by an auditor.


Steve Jolley is a subject matter expert in all areas of global safety compliance and signal detection, and is a frequent speaker at leading industry events with FDA and MHRA on the topics of auditing and signaling.

Steve has 25 years of experience in drug safety & pharmacovigilance and has worked with over 50 clients in the US, Europe and Japan. He holds degrees in mathematics and computer science from Cambridge University, England. Steve was recently elected chairperson of the DIA Clinical Safety and Pharmacovigilance steering committee for North America.

tel: 973 543 0622cell: 973 294 8118SJ Pharma