EU PV Regulatory Intelligence news: EU Commission Implementing Regulation 2025/1466 Other
guides
NextPV Services
  • Safety Corner
  • Articles
  • Setting up and maintaining a safety database: best practices including validation

Setting up and maintaining a safety database: best practices including validation

How do you choose, validate, and maintain a safety database for pharmacovigilance?

A validated safety database is the operational backbone of any pharmacovigilance system. It is where Individual Case Safety Reports (ICSRs) are processed, stored, and submitted to regulatory authorities. It is where signal detection queries run, where PSUR data is extracted, and where audit trails document every safety decision. An unvalidated or poorly maintained database is one of the most common critical findings during pharmacovigilance inspections.

The regulatory requirements for safety databases are defined by EU Annex 11 (Computerised Systems), EMA GVP Module I (EMA/541760/2011 Rev 2) and its annex on computerised systems, and the industry-standard GAMP 5 (Good Automated Manufacturing Practice) framework.

Setting Up a Safety Database

Requirements Gathering

Before selecting a database, define your requirements:

Functional Requirements

  • ICSR data entry in ICH E2B(R3) format
  • MedDRA coding support (with version updates)
  • Causality assessment workflow
  • Medical review and QC workflow
  • Expedited and periodic report generation
  • EudraVigilance submission capability (EVWEB or gateway)
  • FDA FAERS submission capability (if US-marketed products)
  • Signal detection query support
  • Duplicate detection
  • Audit trail for all data changes (per EU Annex 11)

Regulatory Requirements

  • Data privacy compliance (GDPR for EU data)
  • EU Annex 11 computerised system requirements
  • GVP Module I annex on computerised systems

Operational Requirements

  • Expected ICSR volume (current and projected 3–5 years)
  • Number of concurrent users
  • Geographic access requirements (EU, US, global)
  • Integration needs (EudraVigilance gateway, literature monitoring tools, clinical trial systems)
  • Hosting preference (cloud-based SaaS vs. on-premise)

Choosing the Right Database

Commercial safety database platforms used in the industry include Oracle Argus Safety, ArisGlobal LifeSphere, and others. Evaluation criteria:

  • Regulatory compliance out-of-the-box (E2B(R3) support, EudraVigilance integration)
  • Validation documentation packages provided by the vendor
  • Scalability (can it handle your projected growth?)
  • Total cost of ownership (licensing, hosting, validation, maintenance)
  • Vendor track record with PV inspections

For biotech companies with 1–2 products and low ICSR volumes (<50 cases/year), simpler solutions or shared database environments may be more cost-effective than enterprise platforms. Some PV service providers (including NextPV) offer access to validated safety databases as part of outsourced PV services, eliminating the need for the MAH to license and maintain their own system.

Database Design and Configuration

  • Schema design: Configure the database to capture all required E2B(R3) data elements, with appropriate field validations and business rules
  • Workflow configuration: Set up case processing workflows that match your SOPs (intake → triage → data entry → medical review → QC → submission)
  • User roles and access controls: Implement role-based access per EU Annex 11, Section 12 — users should only access functions relevant to their role
  • Audit trail configuration: Ensure that all data entry, modifications, and deletions are automatically logged with user ID, timestamp, and reason for change

Validating a Safety Database

What is Computerised System Validation (CSV)?

Validation is the documented process of demonstrating that a computerised system consistently performs according to its intended use and regulatory requirements. For safety databases, this means proving that the system accurately captures, processes, stores, and reports ICSR data.

Validation Framework

The industry-standard approach follows the GAMP 5 framework combined with EU Annex 11 requirements:

Step 1: Validation Plan

A documented plan describing the validation approach, scope, roles, and acceptance criteria. Approved before any testing begins.

Step 2: User Requirements Specification (URS)

Defines what the system must do from the user's perspective — all functional and regulatory requirements.

Step 3: Functional Requirements Specification (FRS)

Translates user requirements into technical specifications — how the system will fulfill each requirement.

Step 4: Installation Qualification (IQ)

Verifies that the system is installed correctly in the target environment — hardware, software, network, and security configurations.

Step 5: Operational Qualification (OQ)

Tests that the system functions correctly under normal operating conditions — each configured workflow, business rule, and calculation is tested against the FRS.

Step 6: Performance Qualification (PQ)

Tests the system under conditions that simulate real-world use — end-to-end case processing, report generation, EudraVigilance submission testing.

Step 7: Validation Summary Report (VSR)

Documents all testing results, any deviations encountered, and the conclusion that the system is validated for its intended use.

Ongoing Validation

Validation is not a one-time event. Per EU Annex 11, Section 11:

  • Any change to the system (software update, configuration change, new integration) must be assessed for validation impact
  • Significant changes require revalidation (partial or full)
  • Periodic reviews (typically annual) should confirm that the system remains in a validated state

Maintaining a Safety Database

Data Quality Management

  • Ongoing QC: Regular quality checks on case data to ensure accuracy, completeness, and consistency
  • MedDRA updates: Implement new MedDRA versions per EMA requirements (typically updated every 6 months)
  • Data clean-up: Periodic review of database content to identify and resolve data quality issues (duplicate cases, incomplete records, coding errors)

System Maintenance

  • Software updates: Apply vendor-provided patches and updates on a regular schedule. Each update must be assessed for validation impact per the change management process.
  • Security patches: Apply promptly to protect against vulnerabilities
  • Performance monitoring: Monitor system performance (response times, submission success rates, storage capacity) and address issues proactively
  • Backup and disaster recovery: Implement regular automated backups. Test disaster recovery procedures at least annually. Document recovery time objectives (RTO) and recovery point objectives (RPO).

User Management and Training

  • Access reviews: Regularly review user access to ensure the principle of least privilege is maintained. Remove access for departed personnel promptly.
  • Training: Train all new users before they access the system. Provide refresher training when significant system changes are implemented.
  • Support: Maintain a help desk or support process for users to report issues and request assistance

Conclusion

A validated safety database is a regulatory requirement and an operational necessity. EU Annex 11 and GVP Module I define the requirements; inspectors verify compliance. The setup, validation, and ongoing maintenance of a safety database require specialized expertise that combines PV operational knowledge with IT validation discipline.

For biotech companies entering the EU market, the choice between licensing your own safety database and using a provider's validated system should be driven by ICSR volume, budget, and long-term strategy. In either case, the validation requirements are the same.