GVP Audits: How to Prepare Your Pharmacovigilance Department for Inspections

GVP Inspection is not "if", but "when"

For a Qualified Person for Pharmacovigilance (QPPV), notification of an inspection by a regulatory authority (such as AIFA or another European authority coordinated by the EMA) is one of the moments of greatest professional pressure. Pharmacovigilance inspections (GVP), regulated by GVP Module III, are no longer rare events; they are a standard component of regulatory oversight.

The inspector's goal is not to "catch the company" but to verify that a functioning, effective, and regulatory-compliant pharmacovigilance system exists, the ultimate goal of which is to protect public health.

Being "inspection-ready" doesn't mean frantically preparing two weeks before the audit. It means operating in a state of continuous compliance. The Manufacturing Manager is responsible for ensuring GMP compliance on the production floor; the QPPV is responsible for ensuring GMP compliance throughout the entire safety management system. Let's look at how to prepare and what to avoid.

What Are EMA and AIFA Inspectors Looking For? The PV Compliance Trifecta

A GVP inspector will focus on three key pillars, the pharmacovigilance "trifecta," to assess the health of your system.

1. The System (The PSMF)

The Pharmacovigilance System Master File (PSMF) is the map. The inspector will use it to navigate your organization. The first check is: is the map accurate?

• Update: Does the PSMF reflect current operational reality? Are the organizational charts accurate? Does the list of SOPs match?
• Completeness: Are all sections required by GVP Module II present?
• QPPV Oversight: Does the QPPV demonstrate knowledge and use of the PSMF?

2. Processes (ICSR, Signals, PSUR)

This is where operational effectiveness is assessed. Inspectors will take data samples (a process called "traceback") to verify flows.

• ICSR Management: Were cases (especially serious ones) processed, assessed, and sent to EudraVigilance within the legal deadlines (e.g., 15 days)? Compliance KPIs will be monitored.
• Signal Management: Does the company have a proactive signal detection process? Or does it simply react to requests from authorities? The inspector will request to see signal detection reports and assessments.
• PSURs and RMPs: Are PSURs submitted on time? Have risk minimization measures (RMPs) been implemented as promised?

3. Oversight (The Role of QPPV)

This is the most critical point. The inspector must be convinced that the QPPV actually has control and authority over the system.

• Authority: Does the QPPV have sufficient authority to influence management?
• Involvement: Is the QPPV involved in key decisions (e.g. database changes, critical signal management, SDEA approval)?
• Knowledge: Does the QPPV know what happens in local affiliates or outsourced partners?

Common GVP Audit Findings: 5 Mistakes to Avoid

Analysis of public GVP inspection reports reveals recurring patterns of non-compliance (critical or major findings).

1. PSMF Non-Compliant: The most common finding. The PSMF is incomplete, outdated, or (worse) describes an ideal system that doesn't match operational practice.
2. Delays in Reporting (ICSR): Systematic failure to meet the 15-day deadlines for serious ICSRs. Often caused by slow flow from local affiliates or partners (weak SDEAs).
3. Poor Data Quality: Duplicate cases, incomplete cases, lack of follow-up, and incorrect MedDRA coding. This undermines the ability to perform accurate signal detection.
4. Ineffective Partner Management (SDEA): Security Data Exchange Agreements (SDEA) with partners and distributors are vague, unsigned, or (more seriously) not respected. The company does not perform case reconciliation with partners.
5. Weak or Absent Signal Detection: The company does not have a documented proactive process for analyzing signals, or does so "by feel" without a traceable methodology.

Audit Readiness: 10 Steps to QPPV

Being "ready" means having a functioning GVP quality system. Use this checklist for a self-assessment:

1. Updated SOPs: Are all procedures (GVPs) reviewed, approved, and are staff trained?
2. Training Records: Are training records (including QPPV and Deputy) complete and up-to-date?
3. PSMF "Mirror": Has the PSMF been reviewed in the last 6 months and does it reflect reality 100%?
4. KPIs Ready: Do you have your compliance KPIs (ICSR reporting, PSUR) for the last 12 months ready to display?
5. SDEA List: Do you have a complete list of all partners with signed SDEAs and their review dates?
6. Audit Log: Do you have a list of internal and external GVP audits (including reports and CAPAs) ready?
7. CAPA Status: Are all CAPAs (from audits, deviations, etc.) tracked and closed (or on time)?
8. Signal Reports: Can you quickly retrieve signal detection reports for the last 6 months?
9. Database Validation: Is the security database validation report (or summary) available?
10. Business Continuity: Is the backup plan for QPPV and the system (disaster recovery) tested and functioning?

Error vs. Action: Handling a Critical Finding

During an audit, the inspector discovers a serious problem. The QPPV's response often determines the severity of the final finding.

Error Scenario: The inspector, analyzing a partner's (CRO) flow, discovers that the CRO received 10 serious cases for one of your products 30 days ago, but hasn't sent them to you yet. Your reporting KPI (based solely on your data) is 100%.

• WRONG Action (Defensive): "It's the CRO's fault. Our SDEA says they have to send them within 7 days. They're at fault, not us. We can't control what they do."
• Why it's wrong: It demonstrates a lack of oversight . The ultimate responsibility lies with the MAH (and its QPPV), not the CRO.
• CORRECT Action (Responsible):
1. Accept: "Thank you for highlighting this discrepancy. This is a serious finding that we hadn't identified."
2. Containment (immediate): "We will immediately ask the CRO to send these 10 cases and a report on any other missing cases. We will verify the impact on the safety profile."
3. Root Cause Analysis: "Our reconciliation process with the CRO is clearly not working. We need to investigate why our SDEA was not met and why our controls failed to detect the problem."
4. CAPA (Proposal): "We propose to (1) Submit cases immediately; (2) Perform a full reconciliation within 48 hours; (3) Schedule an urgent audit at the CRO; (4) Revise the Partner Management SOP to include a mandatory monthly reconciliation with documentary evidence."

This approach demonstrates ownership of the problem, understanding of the risk, and a robust action plan, mitigating the impact of the finding.

Conclusion

GVP inspections are a robustness test. A QPPV that manages its system transparently, monitors performance with honest KPIs, and uses the PSMF as an active management tool has nothing to fear. The audit becomes an opportunity for constructive discussion and continuous system improvement.

Keep your company audit-ready. To master GVP Modules I, II, III, and IX and prepare for any inspection, discover the complete guide " The Role of the Pharmacovigilance Manager (QPPV) and His Team " on GuideGxP.com.