Ask the Experts: Computer System Considerations for Pharmacovigilance Data Migration

Adaptive Trial DesignWhen it comes to safety systems, pharmacovigilance professionals must take into consideration the guidelines and legislation laid out my regulatory agencies. Computer systems used to manage safety data are subject to rigorous validation testing to determine if they are suitable to manage safety data in the clinical environment.

Last month, ARITHMOS hosted the second edition of Pharmacovigilance Day in Milan, a seminar which invites pharmacovigilance professionals to meet and discuss the industry’s most pressing issues. This year, a senior PhV Inspector from the Italian Pharmaceutical Association (AIFA) presented his considerations on computerized systems and Inspection-Readiness especially in terms of data migration and the PSMF.

According to the Good Vigilance Practices (GVP) applied in Europe, “facilities and equipment which are critical for the conduct of pharmacovigilance should be subject to appropriate checks, qualification and/or validation activities to prove their suitability for the intended purpose. There should be processes in place to keep awareness of the valid terminologies in their valid versions to keep the IT systems up-to-date accordingly”.

This is of utmost importance in the pharmacovigilance field, especially when it pertains to the transfer of safety data from outdated or legacy systems.

What does this mean for the migration of pharmacovigilance data?

More specifically, GVP Module VI addresses the need for a quality management system to ensure compliance with standards and documentation including data collection, transfer and management.

Therefore, there is a need to establish which processes will be used in every step of data migration and who will be involved in the data transfer and their role. Next, the checks that will be carried out after migration next to be defined to guarantee data integrity and completeness in the database. Lastly, a documentation and archiving process needs to be defined.

A quality management process needs to be in place to keep track of the activities done before, during and after the data transfer to ensure that the transfer to the new database is secure and complete and that the processes used did not result in the loss of safety data.

Verifying data migration is essential when:

  • There a new safety database is implemented
  • The acquisition of a new company or the merging of two companies

As our expert points out, data migration is necessary because:

  • Cumulative data in ICSRs are requested for the analysis of signals and for a risk/benefit analysis
  • PSURs, where foreseen, must contain cumulative “summary tabulations” of adverse reactions
  • Regulatory agencies can request cumulative reviews for types of specific events
  • Occasionally follow up information can be requested for previous signaled cases

Additional Considerations for the PSMF

Besides safety databases, the PSMF must report any electronic system that collects, registers and reports safety information including medical information systems, data banks or any other system in clinical trials that collects safety data.

Common deviations for computerized systems include the absence of a disaster recovery and business continuity plan, no reconciliation between the pharmacovigilance database and other department databases and the failure to enter all AEs into the PhV database.

ARITHMOS recommends a full business and technical analysis of pharmacovigilance needs before proceeding with data migration projects. Our multidisciplinary team of business analysts, life science application specialists, pharmacovigilance system and process experts and computer system validation experts can prepare a proper user requirement analysis and a risk management plan to guide companies through data migration projects to guarantee compliance with regulatory standards.


Quality by Design: Risk-Based Approach to Clinical Trials

Internet gamblingLast week, ARITHMOS attended the GIQAR conference in Italy which focused on managing changes to GxP guidelines. ARITHMOS’ Stefano Piccoli presented at the conference on the topic of Quality by Design and how to prevent failure in monitoring by anticipating and mitigating risk when it comes to technology solutions.

The overall problem is that current practices in clinical research are not proportionate to risk or well-adapted to achieving the desired goals. Some origins of this problem include:

  • The costs of clinical development
  • Globalization of clinical trials which complicates the regulatory and business environments
  • Risk Aversion
  • Poor study design and processes
  • Failing to identify the individual implementation needs of quality control activities

The goal of Quality by Design is to build in quality prospectively rather than “test it in” retrospectively. This means identifying in advance the risks to quality and planning how to avoid them.

In terms of Quality Risk Management, the FDA is expecting a shift from data-heavy NDA/BLA submissions to “knowledge-rich” submissions with insight from QRM practices. Likewise, the EU expects risks to be identified prospectively and concepts to be applied at the early program design stage before individual trials are running.

How can Quality by Design help in clinical drug development?

  • Designing optimal infrastructure
  • Optimizing processes and systems
  • Mitigating risks associated with clinical programs and individual studies
  • “Fit-for-purpose” monitoring
  • “Fit-for-purpose” training and communication
  • Enhancing GCP compliance and reducing audit/inspection findings
  • Meeting health authority expectations
  • Reducing the likelihood of costly errors
  • Getting it right the first time and avoiding the need to “fix” it down the road

Risk Based Approach to CSV

Computerized systems that support GxP processes must be validated in proportion to the level of risk they present to patient safety, product quality and the integrity of regulated records. The validation effort should be concentrated on the areas with the most risk.

There are 5 steps to a Quality Risk Management process which is designed to scaled according to the level of risk, complexity and characteristics of individual systems.

  • Step 1: Perform Initial Risk Assessment and Determine System Impact
  • Step 2: Identify Functions with Impact on Patient Safety, Product Quality, and Data Integrity
  • Step 3: Perform Functional Risk Assessments and Identify Controls
  • Step 4: Implement and Verify Appropriate Controls
  • Step 5: Review Risks and Monitor Controls

ARITHMOS’ team of expert CSV and Life Sciences Application consultants, certified in COBIT 5 and ITIL, provide two approaches to Computer System Validation. The strategic approach involves appropriate expert planning, risk assessment, business process analysis and defining user requirements. In the maintenance approach, on-going project management and periodic compliance reviews ensure technologies are safe and accurate for end users through a continuously documented process. 

To schedule a pre-assessment meeting with one of our experts, contact us at


Computer System Validation: Comparison between 21 CFR Part 11 and EU Annex 11

In last week’s blog post, Arithmos wrote about the importance of Computer System Validation for life sciences technology, pointing out that their are laws and regulations which guide CSV practices. This week, Arithmos discusses a comparison of 21 CFR Part 11 and EU Annex 11, in particularly with regards to electronic records and signatures. This month, Arithmos Chief Operating Officer, Stefano Piccoli, instructed a course on Part 11 and Annex 11 in Milan.

21 CFR Part 11 and EU Annex 11 share a common intent: that all computerized systems used in GxP-regulated environments require compliance for ensuring integrity of records and data. Part 11 is strictly applicable to the United States in all FDA (Food & Drug Administration) program areas as well as to all manufacturers outside the U.S. who wish to gain FDA market approval. Annex 11, on the other hand, applies to the European Union as well as foreign manufacturers who are seeking EU market approval.


21 CFR Part 11 Scope: Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in agency regulations. It is applicable to all GxP computerized systems that are used to store and manage electronic records and signatures that are required by the predicate rule.

EU Annex 11 Scope: Annex 11 applies to Good Manufacturing Practices (GMP) for medicinal products for human use, investigational medicinal products for human use and veterinary medicinal products and concerns those computerized systems used in the GMP environment.

It is important to note that the EU Annex 11 is not a legal requirement, but a guideline – albeit a strongly recommended guideline. 21 CFR Part 11 is, however, a regulation set by the U.S.

Both Part 11 and Annex 11 apply to electronic records and signatures. Under 21 CFR Part 11, e-Signatures must include a printed name , verification of identity of the individual signing the document, requirements to prevent forgery and unique codes and passwords. Meanwhile, under Annex 11 e-Signatures have the same impact of a handwritten signature and must be permanently linked to a record as well as include a time and date.

Picture1However, Annex 11 goes beyond Part 11 in four key areas:

  • Supplier and service provider audits – in accordance with GAMP 5, the role of the supplier has been put in the spotlight due to the trend of purchasing clinical trial systems and outsourcing computer system related services.
  • IT infrastructure qualification – Validation of computer systems is an element of a project phase and takes center stage, and validation has been expanded to cover the complete life cycle. Annex 11 includes the qualification of the IT infrastructure.
  • Risk Management – The EU Annex 11 has added a new clause on risk management and taking a risk based approach to CSV. Computerized systems that support GxP processes must be validated in proportion to the level of risk they present to patient safety, product quality and integrity of regulated records.
  • Integrity of system operations and information stored in the system- Annex 11 goes beyond Part 11 to cover general, project phase, operational phase, data, data storage, audit trails and periodic review and security.

In conclusion, although Annex 11 is just a guideline, it has a much broader scope than Part 11 and has improved standards for regulated users and systems. The FDA is expected to report on the industry’s understanding of Part 11 implementation and focus on areas such as validation, audit trail, copies of records and record retention. The review will most likely generate revised/new revisions, closing the gap between Annex 11 and Part 11.

Arithmos and CSV

The Arithmos team has extensive experience in validating systems in the healthcare sector. To ensure patient safety and full adherence to regulatory requirements, we validate regulated systems in a cost-effective, efficient and fully compliant manner. We provide full evidence of the validation exercise, and when requested, fix non-compliant areas.

Related Links

Best Practices: Implementing Computer System Validation