Skip to main content

MHRA GPvP Inspectorate Guide to Marketing Authorisation Holder Considerations for Agreements with Pharmacovigilance System Service Providers

Posted by: , Posted on: - Categories: Compliance matters, Good pharmacovigilance practice

The pharmacovigilance systems of marketing authorisation holders are often dependent on multiple third parties; extensive outsourcing and partnering is a feature of the pharmaceutical industry as much as any other. The range of activities spans individuals providing ad hoc advice to the outsourcing of the entire suite of critical pharmacovigilance processes and governance roles via licensing or marketing authorisation holder partners, vendors for services or tools, and individual contractors. Whilst the majority of service providers offer a valuable and compliant support to marketing authorisations holders, the MHRA GPvP Inspectorate experience is that marketing authorisation holders do not always include adequate text in written agreements to allow management of the outsourced activities and the risk of serious pharmacovigilance failures.

Module III of Good Vigilance Practices (GVP) specifically lists risk factors for pharmacovigilance systems, accounting for mergers and acquisitions, sub-contracting, safety database and contractual arrangement changes1. However, the ease with which the regulatory framework accommodates third party working and changes in pharmacovigilance service provision may lead to an underestimation of the pharmacovigilance compliance risks. The purpose of this blog is to outline the issues identified through GPvP inspection experience, and provide recommendations in support of compliant practices.

In August 2016, MHRA published a blog2 to describe the experience from a pilot of service provider inspections, primarily from the perspective of inspectorate working practices and the feasibility of adjustments to risk based programming.  This publication expands upon the areas identified as problematic for MAHs and service providers and provides points to consider when producing contracts and agreements text.

 Legislative Framework

Pile of documents stamped 'approved'In pharmacovigilance legislation3 the marketing authorisation holder retains responsibility for compliant activity even when the activity has been contracted out. In the UK specifically, penalties and sanctions are drawn against the marketing authorisation holder for offences identified in connection with Part 11 (pharmacovigilance). In this context, during inspection and other supervisory review by MHRA, the marketing authorisation holder’s delivery of pharmacovigilance is assessed, including in the event that issues arise from areas with a root cause in private contractual failures. Examples of findings from GPvP inspection have included scenarios where there have been deficiencies in service delivery per agreement(s) but also in relation to the MAH’s enabling of the service; in addition to specific pharmacovigilance failures that result from contractual issues, further deficiencies (root causes and findings) may include lack of appropriate detail in agreements, resourcing and record-keeping failures, inadequate oversight or failure to ensure sufficient authority/influence of the QPPV, and PSMF content absence or errors.

Challenges 1 - Data Integrity and control

Record-keeping - When subcontracting pharmacovigilance activities, the ownership and provision of safety data, source records and derived datasets needs to be clearly allocated in agreements.

MAHs must be able to;

  • fulfil the requirements for record-keeping in support of safety data analysis and decision-making4,
  •  maintain a complete safety database5.
  •  establish a means of access to their safety database and records in the event of a request from competent authorities (e.g. for inspection, responding to safety data assessment questions)6.
  •  ensure that critical pharmacovigilance activities can be undertaken continuously, i.e. account for business continuity risk7

Records must be available to the MAH, irrespective of any third-party involvement, and including in the event of termination of the agreement, transfer of services or in association with the acquisition of a product through change of ownership8.  If data are lost or derived datasets become unavailable, it may be necessary for the MAH to reconstruct their safety database to fulfil their pharmacovigilance obligations and therefore MAHs may wish to hold copies (particularly of unique records that are not publicly available) to cover business continuity risk.  Parties should agree on which procedures and rules will apply to record retention (timeframes, archiving and destruction) and ensure that this remains compliant with legislative requirements.  Contracts and agreements should contain language to ensure that, where pharmacovigilance records and data are held solely by a third party, the timely provision of records and data for audit, inspection or Competent Authority enquiry can be assured.

Data migration – The MAH is responsible for data integrity when using a third party, risk of data loss needs to be minimised, especially during transfers.

MHRA presented on the topic of data migration in the 2016 GPvP symposium; computer system testing and assurance of the completeness and accuracy of data migration is always needed when transferring data between parties; MAHs need to undertake validation of pharmacovigilance outputs from computerised systems.

Service providers need to be able to ensure the completeness and accuracy of MAH’s datasets in an environment where their PV database application may have been configured for different clients.

GPvP inspection findings have involved failures in planning to ensure that there is sufficient assurance of the completeness and accuracy of migrated datasets at the time when they are needed, resulting in non-compliance in signal detection, PSUR content and case submissions. It is advised that transition periods are planned for and reflected in contractual arrangements to ensure that there is sufficient time and resource available for data transfers, and that service providers can prevent backlogs or errors in critical pharmacovigilance activities when taking on new work.

Challenges 2 - Oversight and Supervision

Transparency – MAHs and service providers need to share information about pharmacovigilance risk and compliance to assess impact and address deficiencies.

Since the pilot on service provider inspections, MHRA has included, in inspection reports, specific text to remind MAHs and their service providers that corrective and preventative actions (CAPA) should include the assessment of inspection findings across the service provider’s client base where relevant. In doing so, MHRA have been able to modify inspection programming to account for non-compliance that may be under an acceptable plan for remediation on behalf of several MAHs, or where a particular organisation may have a widespread adverse impact on pharmacovigilance compliance across a number of MAHs’ pharmacovigilance systems.

MAHs should be aware that they may need to assist with risk and impact assessment and/or CAPA development for non-compliances arising from another organisation’s governance or inspection activities, and to support this, contracts should include requirements for service providers to share (anonymised) inspection and audit findings that have a potential impact on the MAHs’ pharmacovigilance system compliance.

Arrangements with service providers, and especially third party QPPVs, need to be clear about the responsibilities for the provision of data to authorities and the production of the PSMF9 (as a tool for competent authorities, the MAH audit planning and conduct, and QPPVs in the oversight and supervision of PV systems).   GVP Modules I and II describe the pharmacovigilance system information that must be available to the QPPV and competent authorities;

  • MAHs are obliged to maintain the XEVMPD product and QPPV information in the Article 57 database10. Service providers may be used to maintain information in regulatory systems, in any case, MAHs must provide correct and current product information to pharmacovigilance service providers where this relates to the scope of their work.
  • The PSMF must describe the PV system of the MAH(s). Where service providers are undertaking to write the PSMF, there is necessarily a collaboration, such that the data reflects the MAH/product portfolio covered by that system. How the content will be acquired and maintained needs to be covered in written agreements.

Governance and performance – The MAH must have appropriate mechanisms to ensure that service provider performance is overseen and action can be taken if problems arise.

The principle tools for MAH governance in pharmacovigilance exist in the quality systems applied to pharmacovigilance systems. Agreements between parties should establish which quality system aspects will be used for particular activities, and MAHs need to be able to confirm that the minimum standards are applied 11, including;

  • the appropriate selection of service providers and auditors
  •  the sharing of information about risk and non-compliance, including information arising from inspections, deviations, key performance indicators (KPIs) or audit
  •  resourcing and training provision, which may require capacity planning by the service provider, reporting on workload/activity, and must be accurately reflected in the PSMF.

A piece of a jigsaw labeled 'outsourcing' fitting into a puzzleWhere a marketing authorisation holder has subcontracted some of its pharmacovigilance tasks, the MAH retains responsibility for ensuring that an effective quality system is applied in relation to those tasks. It may be appropriate for service providers and MAHs to conduct shared gap analysis and capacity planning, and agreements should include mechanisms for oversight, including independent audit.

Where MAHs agree to accept their service providers’ own commissioned audits to support oversight of performance, the MAH must be able to assure the independence and qualification of the auditor(s), and have access to the report(s).

QPPV oversight – The QPPV must have authority over the pharmacovigilance system, though the MAH remains responsible for the delivery of pharmacovigilance.

The QPPV responsibilities for the performance of the pharmacovigilance system needs to be supported by the MAH; the MAH must also ensure that the QPPV has sufficient authority to influence the PV system12.. In the context of service provider QPPVs, MAHs should ensure that;

  • the QPPV is sufficiently qualified and supported in the role, including access to other qualified individuals where needed (e.g. medically qualified staff), data and documentation needed to fulfil the role
  •  the QPPV has sufficient capacity to fulfil the role where an individual may be acting as QPPV for a number of clients or separate pharmacovigilance systems
  •  the elements of due diligence, the need for increased capacity or change to the PV system are covered by process and confidentiality arrangements
  •  pharmacovigilance risk and non-compliance known to the QPPV is communicated to the MAH, and vice versa
  •  permanent access to Product and pharmacovigilance system risk and compliance information is provided

Challenges 3 - Contracts and Agreement Content

MHRA recommend that organisations (both service providers and MAHs) work together to construct agreements that, in addition to describing specific pharmacovigilance tasks, limit the potential for pharmacovigilance failures arising from outsourcing services.

When considering the points described in this blog, the following areas require attention when constructing contracts for pharmacovigilance services:

  • The use of pre-selection audits, gap analysis and capacity planning
  • Clarity of record / data ownership, and access to source data and the safety database by the MAH
  • Defined records management (format, location and timely provision) and document retention periods,
  • Terms for transition periods, especially for data transfers, as well as contract termination rules
  • Provisions for business continuity
  • Proportionate oversight tools (audit, KPIs, deviations)
  • QPPV and National Competent Authority access to data and documentation
  • PSMF and Article 57 XEVMPD content and maintenance responsibilities
  • Provisions for sharing the outcomes of inspections and audit, CAPA implementation
  • Workload metrics and resource / training allocation responsibilities, rules and reports
  • Dispute resolution (in relation to pharmacovigilance decisions and activity)

Whilst ‘boiler plate’ templates for agreements might work well for partnership arrangements such as out-licensing or safety data exchange between partner pharmacovigilance systems, service provision is diverse and may need a bespoke approach.

MHRA do not arbitrate on private contractual issues, inspectors report on compliance with the applicable pharmacovigilance requirements: marketing authorisation holders remain responsible for their own and contracted third parties’ pharmacovigilance compliance as well as any associated contractual issues in support of their marketing authorisations.


  1. GVP III Inspections, B.2 Inspection planning.
  2. GPvP inspections of contract service providers – August 2016 update
  3. Statutory Instrument 201 No 1916 The Human Medicines Regulations 2012 (HMR)
  4. Commission Implementing Regulation (EU), article 12 Record management and data retention
  5. Directive 2001/83/EC as amended, article 107 Recording and reporting of suspected adverse reactions
  6. Directive 2001/83/EC as amended, article 111 and HMR Part 16
  7. Commission Implementing Regulation (EU) No 520/2012, articles 10 and 11 and GVP I
  8. Data Management VI.B.4 of GVP Module VI
  9. Commission Implementing Regulation (EU) No 520/2012, article 6
  10. Regulation (EC) 726/2004 as amended, article 57
  11. Commission Implementing Regulation (EU) No 520/2012, article 11 Compliance management
  12. Commission Implementing Regulation (EU) No 520/2012, article 10

Don’t miss the next post, sign up to be notified by email when a new post is published on the Inspectorate blog.

Sharing and comments

Share this page