Home  /  Computerized Systems Validation   /  Computerized systems in pharmacovigilance
Sistemas informatizados en farmacovigilancia

Computerized systems in pharmacovigilance

The Good Pharmacovigilance Practices (GVP) allow to guarantee the authenticity and quality of the safety data for the continuous evaluation of the risks associated to the medicines. The documented demonstration that a computerized system is suitable for the intended use is mandatory.

Requisitos de la información para la digitalización.

The Good Pharmacovigilance Practices (GVP) are established, with the objective of facilitating the development of obligations for the pharmaceutical industry, as a set of quality standards regarding the organization and operation of the drug marketing authorization holders. They are intended to provide a rapid and comprehensive response to any request for information from the competent authorities on drug safety.

The use of computerized systems can facilitate rapid access to information and can also be a way for health agents and patients to report data. Likewise, the systems can be used as tools in the management of industrial processes.

A computerized system is a set of physical elements (hardware) and associated programs (software) designed and assembled to perform one or several established activities.
In this article we will analyze the risks associated with computerized systems that support the activity of pharmacovigilance, the requirements demanded at the regulatory level in this regard, as well as the definition of the validation project throughout the life cycle of the system.

GVP requirements for computerized systems

Good pharmacovigilance practices apply mainly to the records of cases managed in the organization. Within its scope are the registration and management of electronic data, functionalities of computerized systems in the management of processes and their associated security, the assurance of patient confidentiality, documentation associated with the computerized system and its validation, technology service providers, training and security associated with end users who will make use of the system, and integrations between computerized systems both for the collection and recording of data, and for the transfer of information to the competent authorities.

Next, the requirements of good pharmacovigilance practices directed to the administrators of computerized systems, the characteristics of the computerized systems themselves and/or the verifications of the final behavior of the process are analyzed. Therefore, its application will have both a technical and a procedural part of the system.

Documentation management

The requirements applicable to computerized systems are as follows:

REQ DOC 1Computerized documentation management
REQ DOC 1.1Registration of the document’s discharge date and the person who performs the action
REQ DOC 1.2Document coding
REQ DOC 1.3Association of records and associated documents
REQ DOC 1.4Record of generation or receipt, evaluation and/or notification
REQ DOC 1.5Internal or external document identification
REQ DOC 2Internal documentation (examples)
REQ DOC 2.1Technical data sheet medicine
REQ DOC 2.2Basic Product Safety Information (IBSP)
REQ DOC 2.3Adverse reaction database
REQ DOC 2.4Sales figures
REQ DOC 2.5Information on weekly bibliographic searches in biomedical journals
REQ DOC 2.6Safety information regarding clinical trials
REQ DOC 2.7Observational studies
REQ DOC 2.8Licensing and Marketing Agreements
REQ DOC 2.9Quality issues that may trigger patient safety problems
REQ DOC 3External documentation (examples)
REQ DOC 3.1Contracts with external companies to outsource pharmacovigilance activities. With detailed description of the service.

Electronic Records

The requirements applicable to computerized systems are as follows:

REQ REG 1Management of records associated with suspected adverse reactions (SRA)
REQ REG 1.1Registration of the document’s discharge date and the person who performs the action
REQ REG 1.2All MRS must be collected. The record should differentiate: misuse, overdose, medication dependency and abuse, use outside the authorized conditions, medication errors, foreign medications, or exposure during pregnancy or lactation.
REQ REG 1.3Veracity of the information. Record of the contrast of the information with the source documentation.
REQ REG 1.4Registration of the person and date of knowledge of the information.
REQ REG 1.5Registration of the date of registration of the adverse reaction and assignment of the univocal and unequivocal correlative identification number to maintain its traceability
REQ REG 1.6Registration of the valuation.
REQ REG 1.7Tracking record.
REQ REG 1.8The additional follow-up information received will be recorded and dated in the same way as the initial information
REQ REG 1.9Documents and/or records related to the same SRA must be kept together. It is necessary that all activities related to their receipt, evaluation and notification can be tracked.
REQ REG 1.10When information is received directly from a patient/user that suggests that an RA has occurred, the CT should attempt to obtain the patient’s permission to contact the healthcare professional responsible for the clinical follow-up for additional information.
REQ REG 1.11Recording and evaluation of information regarding overdose, exposure during pregnancy or lactation, misuse, dependence or abuse of medication, or medication errors that do not result in clinical consequences harmful to the subject

Data Management

The requirements applicable to computerized systems are as follows:

REQ DAT 1RAS Data Management System
REQ DAT 1.1Must ensure the integrity, accuracy, reliability, consistency and confidentiality of all information
REQ DAT 2Personal data
REQ DAT 2.1To guarantee the confidentiality of personal data in accordance with current legislation.
REQ DAT 2.2Notification by the Spanish Data Protection Agency of pharmacovigilance files containing personal data (whether computerized or paper)
REQ DAT 3Access Control
REQ DAT 3.1Per person adapted to the characteristics of the file or archive
REQ DAT 4Audit trail
REQ DAT 4.1Any data correction must be made in such a way that the previous data can be read, documenting the reason for the change, the date and identification (e.g. signature, initials, user code, etc.) of the person who made the change.
REQ DAT 4.2If the data is transformed during processing, its traceability must be maintained, and the initial data can be compared with subsequent changes
REQ DAT 5Fast and selective search of information
REQ DAT 5.1According to criteria of severity, patient’s age, sex, drugs, notification dates, RAS dates, electronic transmission dates, origin, etc.
REQ DAT 5.2Immediate access to essential data (case identification number, drug, reaction and case narrative), for example, in less than an hour.
REQ DAT 5.3Detailed information on each case, including source documentation, should be accessible within three days.
REQ DAT 6Periodic or individual reconciliation or confirmation procedures to ensure the complete transfer of information.
REQ DAT 6.1If PV information is transferred from any source, internally (e.g., between medical information department and PV department), or externally (between headquarters and subsidiaries or between licensee companies).

Validation of computerized systems

The requirements applicable to computerized systems are as follows:

REQ VAL 1Computerized data management systems must be validated.
REQ VAL 2Physical and logical security
REQ VAL 2.1Control of unauthorized access to computer equipment and media
REQ VAL 3User and security management
REQ VAL 4Data backup
REQ VAL 5Migration processes
REQ VAL 5.1Documented and validated
REQ VAL 6Audit trail
REQ VAL 7Change control
REQ VAL 7.1To ensure that the upgrade is controlled and the validation of the system is maintained throughout its life cycle
REQ VAL 8Alternative data management procedure in case of temporary system failure
REQ VAL 9Disaster Recovery Plan
REQ VAL 10Training
REQ VAL 11Adapted to your responsibilities in the use of computerized data management systems

Expeditious reporting of adverse reactions

The requirements applicable to computerized systems are as follows:

REQ NEX 1Compliance with reporting and formatting requirements
REQ NEX 1.1Compliance with minimum information requirements, severity criteria, causality relationship, notification deadlines, MedDRA terminology and electronic format
REQ NEX 2Notification Coding
REQ NEX 2.1Registration of the RAS received from the AEMPS, without having to be sent again to the SEFV-H (Spanish System of Pharmacovigilance of Medicines for Human Use). The notification number of the AEMPS will be kept as a global identification number, the TAC (marketing authorization holder of a medicine) can assign another number. The entry of the notification must be recorded.
REQ NEX 3Information associated with the notification
REQ NEX 3.1Trade name, active ingredient, concentration, pharmaceutical form of the drugs involved as well as the dose administered.
REQ NEX 4Notification deadlines
REQ NEX 4.1Notification within 48 hours in RAS of advanced therapy drugs that involve transmission of a disease or other problem.
REQ NEX 5Contact attempts
REQ NEX 5.1Attempts to contact the notifier must be recorded.

Transmission requirements

The requirements applicable to computerized systems are as follows:

REQ TRA 1To know the necessary data for the electronic transmission of RAS, to relate also the electronic identifier assigned by the EMA (ID profile), agreements with third parties if this function is outsourced, reception processes of the RAS sent from the AEMPS
REQ TRA 2Expedited notification in electronic format following European standards
REQ TRA 2.1Regarding deadlines, format, recipient and minimum information
REQ TRA 3An electronic record must be kept of the proper receipt of the shipment by the competent regulatory authority.
REQ TRA 3.1In case of on-line upload in FEDRA, the receipts of the electronic communication of each SRA case must be filed with the date of sending to the SEFV-H.
REQ TRA 3.2In the option of electronic transmission in XML format, tendrá́ provides access to the computer system itself where the acknowledgement messages of the various shipments can be identified, to check compliance with deadlines.
REQ TRA 4The CT must ensure that the electronic transmission has been effective (receipt of acknowledgement, or ACK). In case of any problem in the electronic transmission, the instructions determined by the EMA and the AEMPS will be followed. The TAC must keep a record of temporary problems in communications, whether from the AEMPS or the TAC.

Periodic Security Reports (IPS)

The requirements applicable to computerized systems are as follows:

REQ IPS 1The TAC should include in a single IPS the data relating to all the medicines of which it is holder that contain the same active ingredient. However, when considered relevant for evaluation, data on fixed-dose combinations, pharmaceutical forms, routes of administration or different therapeutic indications may be presented in separate sections of the IPS, or in separate IPSs.
REQ IPS 2The TAC must prepare and present to the health authorities the IPS with the content, frequency and deadlines established by the legislation in force, following the recommendations established in the document of Questions and Answers on IPS, of the AEMPS

Risk Management Plans (RMP)

The requirements applicable to computerized systems are as follows:

REQ PGR 1The pharmacovigilance plan should specify, for each identified or potential risk, the specific measures that will be used to characterize the risks and expand on the corresponding information. These may be limited to routine pharmacovigilance activities, or may include the conduct of studies or other activities as necessary.

Post-authorization studies (EPA)

The requirements applicable to computerized systems are as follows:

REQ EPA 1The TAC must have an updated record of the EPAs carried out in Spain of which it is the promoter. The RFV (Responsible for PharmacoVigilance) must have access to this record.
REQ EPA 2The TAC will expeditiously report serious ARSs that have occurred in Spain, of which it can reasonably be expected to have knowledge, to the competent body in matters of Pharmacovigilance of the Autonomous Community where the health professional who has reported the case works. The expeditious notification of RAS will be made electronically by the RFV following the instructions published by the AEMPS (in the electronic transmission section). These cases will be included in the IPS.

Post-authorization safety studies (EPAS)

The requirements applicable to computerized systems are as follows:

REQ EPAS 1The RFV must review the protocols of the EPAS carried out in Spain, if they have not been reviewed by the QPPV (Person responsible for pharmacovigilance in Europe). In any case, the RFV must know the protocol of the SAE carried out in Spain, guaranteeing that the communication procedures of the RAS are adequate, that the safety aspects are adequately monitored and that they are carried out according to Spanish regulations. This review must be documented.


The requirements applicable to computerized systems are as follows:

REQ ARCH 1The archive management system established by the TAC should guarantee the adequate conservation of documentation related to pharmacovigilance activities, as well as its availability in a rapid and complete manner. The passive or historical archive facilities should offer measures to protect the archived materials against possible destruction by water, fire, light and pests.
REQ ARCH 1.1RAS notifications received and additional follow-up documentation, IPSs and correspondence with health authorities must be kept until at least five years after the completion of the marketing of the medicine to which they refer, unless a new marketing authorization is requested during that period, changes to the initial registration, such as a new indication, new dosage, etc.
REQ ARCH 1.2The TAC must preserve the historical SOPs for a minimum period of 10 years. Documentation regarding CV, training and education of the RFV and pharmacovigilance department technicians, including those no longer working for the CT, will be kept for as long as the CT remains active.
REQ ARCH 1.3There must be a system for recording the documentation stored in the passive archive, with a system for controlling the entry and exit of documentation from the archive, which records the documentation withdrawn, the person who withdraws it and the date of departure and return. This system must be included in an internal company procedure.
REQ ARCH 1.4Access to the passive archive or, if applicable, to the general archive, should be restricted to authorized personnel.

Quality assurance

The requirements applicable to computerized systems are as follows:

REQ UGC 1The TAC must carry out periodic audits of the pharmacovigilance system in order to verify that all activities are carried out in accordance with the legislation in force, the GVP and the established SOPs.
REQ UGC 2The TAC should establish a documented quality assurance program that specifies the frequency, content and scope/scope of audits based on the complexity of the pharmacovigilance system.
REQ UGC 3The result of each audit must be documented in a report, which will be sent to the TAC management and the RFV diligently. The TAC shall record the audits performed, and document the dates of dispatch and receipt of the corresponding reports.
REQ UGC 4Corrective measures will be established for each of the deficiencies observed and a documented follow-up of their implementation will be carried out.
REQ UGC 5The TAC should keep a record of quality assurance activities, including audit reports, implementation and follow-up of corrective actions.
REQ UGC 6The procedure for conducting audits, as well as the aspects to be audited, must be established in a PNT.

Agreements and contracts

The requirements applicable to computerized systems are as follows:

REQ ACU 1The TAC may subcontract or transfer some of the activities derived from its obligations and responsibilities in pharmacovigilance. The TAC is the final responsible in terms of VF of the medicines it owns.
REQ ACU 2There must be agreements or contracts formalized with third parties in the following cases:
REQ ACU 2.1Outsourcing of pharmacovigilance activities or use of external service providers to carry out such activities.
REQ ACU 2.2Distribution and manufacturing by third parties.
REQ ACU 2.3Joint licensing, promotion and marketing.
REQ ACU 3The VF agreements or contracts should include a detailed description of the pharmacovigilance activities assigned to each party involved that specifies: the content and format of the data to be transferred, reconciliation procedures and transfer deadlines. The activities not mentioned in the contract reside in the TAC. The agreements should be signed and dated by the representatives of both parties.

Design of the project for the validation of computerized systems associated with the pharmacovigilance activity

The main steps in the design and execution of a computerized system validation project associated with the activities of the pharmacovigilance area are specified below.


Materialized in a validation plan of the computerized system, centralizing in a document the scope of the validation (defining the system as part software and hardware), identifying the applicable regulations and good practice guidelines followed to develop the methodology of the project, specifying the project team (with a multidisciplinary vision that covers the experience and knowledge in the area of quality, IT and pharmacovigilance processes), establishing the acceptance criteria to validate the system and detailing the methodology to be developed during the project.

Defining the intended use of the computerized system and the service requested from the technology provider

Establishing the user requirements demanded to the system at the operational, security and data integrity, technological and computer level. As well as specifying the quality agreement of the service to be provided by the technological supplier that supports the management of the system.

Ensuring the installation and configuration of the system

Identifying the software and hardware elements that make up the system and ensuring a minimum definition of each of them, establishing the criticality of each element with a risk-based approach and verifying that the final IT infrastructure complies with the technical specifications of each element.

Ensuring system functionality

Elaborating the traceability matrix to identify the functionalities to be used by the organization, checking that there are standardized working procedures that establish the methodology to be followed by system administrators and users, as well as verifying the operational, technical and safety design through the qualification of the system operation (OQ).

Ensuring user activity

By defining users that uniquely identify each member of the organization, designing security profiles according to their job profiles and ensuring their training through a continuous training plan.

Asegurando la integridad de la información

By defining a data integrity audit that analyzes compliance with the ALCOA+ rule of the information flow that is managed by the computerized process throughout its life cycle.

Ensuring the final computerized process

Verifying the integration of all factors mentioned above, ensuring the management, control and traceability of processes.

Bearing in mind that, like any other quality system, it must be maintained over time

Maintenance of the control status through the implementation of management procedures that establish the methodology to follow in the continuous management of the system and audits of periodic evaluation of the status of validation, compliance with the supplier’s service and data integrity.


  1. Computerized system validation is a documented demonstration that a computerized system is suitable for its intended use. A computerized system is a set of physical elements (hardware) and associated programs (software) designed and assembled to perform one or more established activities.
  2. The main risks of the computerized process in the field of pharmacovigilance are to ensure the integrity of the data in the introduction of the case information, to carry out an exhaustive follow-up of these data throughout the life cycle of the electronic registry through the audit trail and to ensure the export and transfer of data of the cases treated to the platforms of the competent authorities.

From OQOTECH we help our clients to design and implement their strategy of qualification of teams in Data Integrity. Contact us and receive personalized advice for your company. We will solve all your doubts and comments.

Article originally published in Pharmatech’s magazine, number 51, July-August 2020

Do you want to download this article? You can do it here

Do you like what you read? Subscribe to our blog!

Your data will be processed by OQOTECH SL, in order to send you our newsletters to your email. The legitimacy of the treatment is your consent, which you can withdraw at any time. Your data will not be transferred to third parties. You have the right to access, rectify and delete your data, as well as other rights as explained in our privacy policy.

I have read and accept the privacy policy
Open chat
Hello! 👋

⌚ We are open from Monday to Thursday from 08:00 to 14:00h and from 15:00 to 17:30h and Friday from 08:00 to 14:00h. (Spanish time)

🚀 Do you want to talk to us about a project we can advise you on?

❓ Do you have any doubts about a subject we can help you with?

Write to us with no commitment, we will answer you as soon as possible! 😊