Computerized systems in pharmacovigilance
The Good Pharmacovigilance Practices (GVP) allow to guarantee the authenticity and quality of the safety data for the continuous evaluation of the risks associated to the medicines. The documented demonstration that a computerized system is suitable for the intended use is mandatory.
The Good Pharmacovigilance Practices (GVP) are established, with the objective of facilitating the development of obligations for the pharmaceutical industry, as a set of quality standards regarding the organization and operation of the drug marketing authorization holders. They are intended to provide a rapid and comprehensive response to any request for information from the competent authorities on drug safety.
The use of computerized systems can facilitate rapid access to information and can also be a way for health agents and patients to report data. Likewise, the systems can be used as tools in the management of industrial processes.
A computerized system is a set of physical elements (hardware) and associated programs (software) designed and assembled to perform one or several established activities.
In this article we will analyze the risks associated with computerized systems that support the activity of pharmacovigilance, the requirements demanded at the regulatory level in this regard, as well as the definition of the validation project throughout the life cycle of the system.
GVP requirements for computerized systems
Good pharmacovigilance practices apply mainly to the records of cases managed in the organization. Within its scope are the registration and management of electronic data, functionalities of computerized systems in the management of processes and their associated security, the assurance of patient confidentiality, documentation associated with the computerized system and its validation, technology service providers, training and security associated with end users who will make use of the system, and integrations between computerized systems both for the collection and recording of data, and for the transfer of information to the competent authorities.
Next, the requirements of good pharmacovigilance practices directed to the administrators of computerized systems, the characteristics of the computerized systems themselves and/or the verifications of the final behavior of the process are analyzed. Therefore, its application will have both a technical and a procedural part of the system.
Documentation management
The requirements applicable to computerized systems are as follows:
| REQ DOC | PHARMACOVIGILANCE DOCUMENTATION MANAGEMENT REQUIREMENTS |
| REQ DOC 1 | Computerized documentation management |
| REQ DOC 1.1 | Registration of the document’s discharge date and the person who performs the action |
| REQ DOC 1.2 | Document coding |
| REQ DOC 1.3 | Association of records and associated documents |
| REQ DOC 1.4 | Record of generation or receipt, evaluation and/or notification |
| REQ DOC 1.5 | Internal or external document identification |
| REQ DOC 2 | Internal documentation (examples) |
| REQ DOC 2.1 | Technical data sheet medicine |
| REQ DOC 2.2 | Basic Product Safety Information (IBSP) |
| REQ DOC 2.3 | Adverse reaction database |
| REQ DOC 2.4 | Sales figures |
| REQ DOC 2.5 | Information on weekly bibliographic searches in biomedical journals |
| REQ DOC 2.6 | Safety information regarding clinical trials |
| REQ DOC 2.7 | Observational studies |
| REQ DOC 2.8 | Licensing and Marketing Agreements |
| REQ DOC 2.9 | Quality issues that may trigger patient safety problems |
| REQ DOC 3 | External documentation (examples) |
| REQ DOC 3.1 | Contracts with external companies to outsource pharmacovigilance activities. With detailed description of the service. |
Electronic Records
The requirements applicable to computerized systems are as follows:
| REQ REG | ELECTRONIC RECORDS REQUIREMENTS FOR PHARMACOVIGILANCE DATA |
| REQ REG 1 | Management of records associated with suspected adverse reactions (SRA) |
| REQ REG 1.1 | Registration of the document’s discharge date and the person who performs the action |
| REQ REG 1.2 | All MRS must be collected. The record should differentiate: misuse, overdose, medication dependency and abuse, use outside the authorized conditions, medication errors, foreign medications, or exposure during pregnancy or lactation. |
| REQ REG 1.3 | Veracity of the information. Record of the contrast of the information with the source documentation. |
| REQ REG 1.4 | Registration of the person and date of knowledge of the information. |
| REQ REG 1.5 | Registration of the date of registration of the adverse reaction and assignment of the univocal and unequivocal correlative identification number to maintain its traceability |
| REQ REG 1.6 | Registration of the valuation. |
| REQ REG 1.7 | Tracking record. |
| REQ REG 1.8 | The additional follow-up information received will be recorded and dated in the same way as the initial information |
| REQ REG 1.9 | Documents and/or records related to the same SRA must be kept together. It is necessary that all activities related to their receipt, evaluation and notification can be tracked. |
| REQ REG 1.10 | When information is received directly from a patient/user that suggests that an RA has occurred, the CT should attempt to obtain the patient’s permission to contact the healthcare professional responsible for the clinical follow-up for additional information. |
| REQ REG 1.11 | Recording and evaluation of information regarding overdose, exposure during pregnancy or lactation, misuse, dependence or abuse of medication, or medication errors that do not result in clinical consequences harmful to the subject |
Data Management
The requirements applicable to computerized systems are as follows:
| REQ DAT | PHARMACOVIGILANCE DATA MANAGEMENT REQUIREMENTS |
| REQ DAT 1 | RAS Data Management System |
| REQ DAT 1.1 | Must ensure the integrity, accuracy, reliability, consistency and confidentiality of all information |
| REQ DAT 2 | Personal data |
| REQ DAT 2.1 | To guarantee the confidentiality of personal data in accordance with current legislation. |
| REQ DAT 2.2 | Notification by the Spanish Data Protection Agency of pharmacovigilance files containing personal data (whether computerized or paper) |
| REQ DAT 3 | Access Control |
| REQ DAT 3.1 | Per person adapted to the characteristics of the file or archive |
| REQ DAT 4 | Audit trail |
| REQ DAT 4.1 | Any data correction must be made in such a way that the previous data can be read, documenting the reason for the change, the date and identification (e.g. signature, initials, user code, etc.) of the person who made the change. |
| REQ DAT 4.2 | If the data is transformed during processing, its traceability must be maintained, and the initial data can be compared with subsequent changes |
| REQ DAT 5 | Fast and selective search of information |
| REQ DAT 5.1 | According to criteria of severity, patient’s age, sex, drugs, notification dates, RAS dates, electronic transmission dates, origin, etc. |
| REQ DAT 5.2 | Immediate access to essential data (case identification number, drug, reaction and case narrative), for example, in less than an hour. |
| REQ DAT 5.3 | Detailed information on each case, including source documentation, should be accessible within three days. |
| REQ DAT 6 | Periodic or individual reconciliation or confirmation procedures to ensure the complete transfer of information. |
| REQ DAT 6.1 | If PV information is transferred from any source, internally (e.g., between medical information department and PV department), or externally (between headquarters and subsidiaries or between licensee companies). |
Validation of computerized systems
The requirements applicable to computerized systems are as follows:
| REQ VAL | VALIDATION REQUIREMENTS FOR COMPUTERIZED SYSTEMS ASSOCIATED WITH PHARMACOVIGILANCE ACTIVITIES |
| REQ VAL 1 | Computerized data management systems must be validated. |
| REQ VAL 2 | Physical and logical security |
| REQ VAL 2.1 | Control of unauthorized access to computer equipment and media |
| REQ VAL 3 | User and security management |
| REQ VAL 4 | Data backup |
| REQ VAL 5 | Migration processes |
| REQ VAL 5.1 | Documented and validated |
| REQ VAL 6 | Audit trail |
| REQ VAL 7 | Change control |
| REQ VAL 7.1 | To ensure that the upgrade is controlled and the validation of the system is maintained throughout its life cycle |
| REQ VAL 8 | Alternative data management procedure in case of temporary system failure |
| REQ VAL 9 | Disaster Recovery Plan |
| REQ VAL 10 | Training |
| REQ VAL 11 | Adapted to your responsibilities in the use of computerized data management systems |
| REQ VAL 10 | PNTs |
Expeditious reporting of adverse reactions
The requirements applicable to computerized systems are as follows:
| REQ NEX | REQUIREMENTS FOR EXPEDITIOUS REPORTING OF ADVERSE REACTIONS |
| REQ NEX 1 | Compliance with reporting and formatting requirements |
| REQ NEX 1.1 | Compliance with minimum information requirements, severity criteria, causality relationship, notification deadlines, MedDRA terminology and electronic format |
| REQ NEX 2 | Notification Coding |
| REQ NEX 2.1 | Registration of the RAS received from the AEMPS, without having to be sent again to the SEFV-H (Spanish System of Pharmacovigilance of Medicines for Human Use). The notification number of the AEMPS will be kept as a global identification number, the TAC (marketing authorization holder of a medicine) can assign another number. The entry of the notification must be recorded. |
| REQ NEX 3 | Information associated with the notification |
| REQ NEX 3.1 | Trade name, active ingredient, concentration, pharmaceutical form of the drugs involved as well as the dose administered. |
| REQ NEX 4 | Notification deadlines |
| REQ NEX 4.1 | Notification within 48 hours in RAS of advanced therapy drugs that involve transmission of a disease or other problem. |
| REQ NEX 5 | Contact attempts |
| REQ NEX 5.1 | Attempts to contact the notifier must be recorded. |
Transmission requirements
The requirements applicable to computerized systems are as follows:
| REQ TRA | TRANSMISSION REQUIREMENTS |
| REQ TRA 1 | To know the necessary data for the electronic transmission of RAS, to relate also the electronic identifier assigned by the EMA (ID profile), agreements with third parties if this function is outsourced, reception processes of the RAS sent from the AEMPS |
| REQ TRA 2 | Expedited notification in electronic format following European standards |
| REQ TRA 2.1 | Regarding deadlines, format, recipient and minimum information |
| REQ TRA 3 | An electronic record must be kept of the proper receipt of the shipment by the competent regulatory authority. |
| REQ TRA 3.1 | In case of on-line upload in FEDRA, the receipts of the electronic communication of each SRA case must be filed with the date of sending to the SEFV-H. |
| REQ TRA 3.2 | In the option of electronic transmission in XML format, tendrá́ provides access to the computer system itself where the acknowledgement messages of the various shipments can be identified, to check compliance with deadlines. |
| REQ TRA 4 | The CT must ensure that the electronic transmission has been effective (receipt of acknowledgement, or ACK). In case of any problem in the electronic transmission, the instructions determined by the EMA and the AEMPS will be followed. The TAC must keep a record of temporary problems in communications, whether from the AEMPS or the TAC. |
Periodic Security Reports (IPS)
The requirements applicable to computerized systems are as follows:
| REQ IPS | PERIODIC SAFETY REPORT (IPS) REQUIREMENTS |
| REQ IPS 1 | The TAC should include in a single IPS the data relating to all the medicines of which it is holder that contain the same active ingredient. However, when considered relevant for evaluation, data on fixed-dose combinations, pharmaceutical forms, routes of administration or different therapeutic indications may be presented in separate sections of the IPS, or in separate IPSs. |
| REQ IPS 2 | The TAC must prepare and present to the health authorities the IPS with the content, frequency and deadlines established by the legislation in force, following the recommendations established in the document of Questions and Answers on IPS, of the AEMPS |
Risk Management Plans (RMP)
The requirements applicable to computerized systems are as follows:
| REQ PGR | REQUIREMENTS RISK MANAGEMENT PLANS (RMP) |
| REQ PGR 1 | The pharmacovigilance plan should specify, for each identified or potential risk, the specific measures that will be used to characterize the risks and expand on the corresponding information. These may be limited to routine pharmacovigilance activities, or may include the conduct of studies or other activities as necessary. |
Post-authorization studies (EPA)
The requirements applicable to computerized systems are as follows:
| REQ EPA | REQUIREMENTS FOR POST-AUTHORIZATION STUDIES (EPA) |
| REQ EPA 1 | The TAC must have an updated record of the EPAs carried out in Spain of which it is the promoter. The RFV (Responsible for PharmacoVigilance) must have access to this record. |
| REQ EPA 2 | The TAC will expeditiously report serious ARSs that have occurred in Spain, of which it can reasonably be expected to have knowledge, to the competent body in matters of Pharmacovigilance of the Autonomous Community where the health professional who has reported the case works. The expeditious notification of RAS will be made electronically by the RFV following the instructions published by the AEMPS (in the electronic transmission section). These cases will be included in the IPS. |
Post-authorization safety studies (EPAS)
The requirements applicable to computerized systems are as follows:
| REQ EPAS | REQUIREMENTS FOR POST-AUTHORIZATION SAFETY STUDIES (EPAS) |
| REQ EPAS 1 | The RFV must review the protocols of the EPAS carried out in Spain, if they have not been reviewed by the QPPV (Person responsible for pharmacovigilance in Europe). In any case, the RFV must know the protocol of the SAE carried out in Spain, guaranteeing that the communication procedures of the RAS are adequate, that the safety aspects are adequately monitored and that they are carried out according to Spanish regulations. This review must be documented. |
Archive
The requirements applicable to computerized systems are as follows:
| REQ ARCH | ARCHIVING REQUIREMENTS |
| REQ ARCH 1 | The archive management system established by the TAC should guarantee the adequate conservation of documentation related to pharmacovigilance activities, as well as its availability in a rapid and complete manner. The passive or historical archive facilities should offer measures to protect the archived materials against possible destruction by water, fire, light and pests. |
| REQ ARCH 1.1 | RAS notifications received and additional follow-up documentation, IPSs and correspondence with health authorities must be kept until at least five years after the completion of the marketing of the medicine to which they refer, unless a new marketing authorization is requested during that period, changes to the initial registration, such as a new indication, new dosage, etc. |
| REQ ARCH 1.2 | The TAC must preserve the historical SOPs for a minimum period of 10 years. Documentation regarding CV, training and education of the RFV and pharmacovigilance department technicians, including those no longer working for the CT, will be kept for as long as the CT remains active. |
| REQ ARCH 1.3 | There must be a system for recording the documentation stored in the passive archive, with a system for controlling the entry and exit of documentation from the archive, which records the documentation withdrawn, the person who withdraws it and the date of departure and return. This system must be included in an internal company procedure. |
| REQ ARCH 1.4 | Access to the passive archive or, if applicable, to the general archive, should be restricted to authorized personnel. |
Quality assurance
The requirements applicable to computerized systems are as follows:
| REQ UGC | QUALITY ASSURANCE REQUIREMENTS |
| REQ UGC 1 | The TAC must carry out periodic audits of the pharmacovigilance system in order to verify that all activities are carried out in accordance with the legislation in force, the GVP and the established SOPs. |
| REQ UGC 2 | The TAC should establish a documented quality assurance program that specifies the frequency, content and scope/scope of audits based on the complexity of the pharmacovigilance system. |
| REQ UGC 3 | The result of each audit must be documented in a report, which will be sent to the TAC management and the RFV diligently. The TAC shall record the audits performed, and document the dates of dispatch and receipt of the corresponding reports. |
| REQ UGC 4 | Corrective measures will be established for each of the deficiencies observed and a documented follow-up of their implementation will be carried out. |
| REQ UGC 5 | The TAC should keep a record of quality assurance activities, including audit reports, implementation and follow-up of corrective actions. |
| REQ UGC 6 | The procedure for conducting audits, as well as the aspects to be audited, must be established in a PNT. |
Agreements and contracts
The requirements applicable to computerized systems are as follows:
| REQ ACU | AGREEMENT AND CONTRACT REQUIREMENTS |
| REQ ACU 1 | The TAC may subcontract or transfer some of the activities derived from its obligations and responsibilities in pharmacovigilance. The TAC is the final responsible in terms of VF of the medicines it owns. |
| REQ ACU 2 | There must be agreements or contracts formalized with third parties in the following cases: |
| REQ ACU 2.1 | Outsourcing of pharmacovigilance activities or use of external service providers to carry out such activities. |
| REQ ACU 2.2 | Distribution and manufacturing by third parties. |
| REQ ACU 2.3 | Joint licensing, promotion and marketing. |
| REQ ACU 3 | The VF agreements or contracts should include a detailed description of the pharmacovigilance activities assigned to each party involved that specifies: the content and format of the data to be transferred, reconciliation procedures and transfer deadlines. The activities not mentioned in the contract reside in the TAC. The agreements should be signed and dated by the representatives of both parties. |
Design of the project for the validation of computerized systems associated with the pharmacovigilance activity
The main steps in the design and execution of a computerized system validation project associated with the activities of the pharmacovigilance area are specified below.
Strategy
Materialized in a validation plan of the computerized system, centralizing in a document the scope of the validation (defining the system as part software and hardware), identifying the applicable regulations and good practice guidelines followed to develop the methodology of the project, specifying the project team (with a multidisciplinary vision that covers the experience and knowledge in the area of quality, IT and pharmacovigilance processes), establishing the acceptance criteria to validate the system and detailing the methodology to be developed during the project.
Defining the intended use of the computerized system and the service requested from the technology provider
Establishing the user requirements demanded to the system at the operational, security and data integrity, technological and computer level. As well as specifying the quality agreement of the service to be provided by the technological supplier that supports the management of the system.
Ensuring the installation and configuration of the system
Identifying the software and hardware elements that make up the system and ensuring a minimum definition of each of them, establishing the criticality of each element with a risk-based approach and verifying that the final IT infrastructure complies with the technical specifications of each element.
Ensuring system functionality
Elaborating the traceability matrix to identify the functionalities to be used by the organization, checking that there are standardized working procedures that establish the methodology to be followed by system administrators and users, as well as verifying the operational, technical and safety design through the qualification of the system operation (OQ).
Ensuring user activity
By defining users that uniquely identify each member of the organization, designing security profiles according to their job profiles and ensuring their training through a continuous training plan.
Asegurando la integridad de la información
By defining a data integrity audit that analyzes compliance with the ALCOA+ rule of the information flow that is managed by the computerized process throughout its life cycle.
Ensuring the final computerized process
Verifying the integration of all factors mentioned above, ensuring the management, control and traceability of processes.
Bearing in mind that, like any other quality system, it must be maintained over time
Maintenance of the control status through the implementation of management procedures that establish the methodology to follow in the continuous management of the system and audits of periodic evaluation of the status of validation, compliance with the supplier’s service and data integrity.
Conclusions
- Computerized system validation is a documented demonstration that a computerized system is suitable for its intended use. A computerized system is a set of physical elements (hardware) and associated programs (software) designed and assembled to perform one or more established activities.
- The main risks of the computerized process in the field of pharmacovigilance are to ensure the integrity of the data in the introduction of the case information, to carry out an exhaustive follow-up of these data throughout the life cycle of the electronic registry through the audit trail and to ensure the export and transfer of data of the cases treated to the platforms of the competent authorities.
From OQOTECH we help our clients to design and implement their strategy of qualification of teams in Data Integrity. Contact us and receive personalized advice for your company. We will solve all your doubts and comments.
Article originally published in Pharmatech’s magazine, number 51, July-August 2020
Do you want to download this article? You can do it here
