The Pharmacovigilance System Master File (PSMF) is a core component of the European pharmacovigilance framework and a focal element of regulatory oversight. This guide expands the practical and governance aspects of PSMF oversight and provides a GVP‑aligned, inspection‑ready framework for organising, maintaining and presenting the PSMF in regulatory and inspection contexts.
Purpose and scope - The PSMF describes the pharmacovigilance (PV) system used by a marketing authorisation holder (MAH), providing a single, structured source of information on people, processes, systems, governance and product coverage used to meet legal PV obligations. - The PSMF is a living artefact: it must be accurate, complete and verifiable against the operating PV system. - This guide aligns with EMA GVP Module II and with EU PV legislation; it explains the expected PSMF structure, required annexes, practical maintenance and version‑control practices, governance responsibilities and inspection readiness measures.
Regulatory context - The PSMF is defined and required under EU pharmacovigilance legislation and the EMA’s GVP framework. Inspectors use the PSMF as a map to plan and conduct inspections and to identify areas requiring documentary or operational evidence. - Key regulatory references are listed at the end of this guide; where GVP provides specific content or annex guidance, follow those provisions and use this guide to operationalise them.
PSMF structure (GVP‑aligned) Below is a practical, GVP‑aligned PSMF structure with the content required in each section and inspection‑relevant evidence examples. Organisations may cross‑reference internal SOPs and use hyperlinks to annexes, but the PSMF must remain self‑contained and navigable.
- Administrative information and scope
- MAH name, address(es), EU contact points and affiliates relevant to the PV system.
-
Effective date, version number, author, document owner, QPPV name and contact details, location of the master and local PSMF copies. Inspection evidence: organisational chart, contact list, QPPV appointment letter, master PSMF repository path.
-
Overview of the pharmacovigilance system
- High‑level description of the PV system architecture: organisational model (centralised/decentralised), functional responsibilities and interfaces (medicines safety, regulatory affairs, clinical, commercial, legal, IT).
-
How PV activities are coordinated across affiliates, local representatives, licensees and third parties. Inspection evidence: simplified process maps, responsibility matrices (RACI), SOP index demonstrating linkage.
-
Organisation and personnel
- Detailed PV organisation chart with names, roles and delegated responsibilities, including deputies and local PV leads.
- CV and qualifications of the QPPV and deputies (annex).
-
Training and competence management approach for PV personnel. Inspection evidence: CVs, training records, role descriptions, delegation logs.
-
Pharmacovigilance processes and procedures
- Index of PV core SOPs and process descriptions for ICSR intake, triage, coding, causality assessment, expedited reporting, signal management, PSUR/PBRER preparation, risk minimisation, safety surveillance, and safety communications.
-
Description of process ownership and interdependencies. Inspection evidence: SOPs, work instructions, ICSR workflow diagrams, KPI reports.
-
Sources of safety data
- List and description of sources (spontaneous reports, clinical trials, post‑authorisation safety studies, literature, registries, partner reports, non‑interventional studies, social media screening).
-
Mechanisms used for data capture and reconciliation across sources. Inspection evidence: literature screening procedure, studies list, agreements with data providers.
-
Computerised systems and data management
- Inventory of all validated systems supporting PV (safety database, signal detection tools, aggregate reporting tools, e‑mail and portals used for AE intake, EHR links).
- Description of system interconnections, hosting locations (on‑premise, cloud, provider), data backup, retention and business continuity arrangements.
-
Summary of validation status and change control processes for each critical system. Inspection evidence: System inventories, validation certificates, SOPs for change control, user access matrix.
-
Quality management system and compliance activities
- PV quality policy, QA organisation, audit programme (internal and vendor audits), corrective and preventive action (CAPA) processes, non‑conformity handling, management review.
-
Compliance monitoring: metrics, trend analysis, inspection follow‑up. Inspection evidence: audit schedule, recent audit reports, CAPA logs, management review minutes.
-
Contracts, agreements and vendor oversight
- List of all third‑party providers performing PV activities (safety database vendors, CROs, call centres, medical information providers) and a summary of PV‑related contractual obligations.
-
Oversight mechanisms: SLAs, KPIs, periodic review, audits, escalation paths. Inspection evidence: sample contracts with PV annexes, PV agreements, evidence of oversight activities.
-
Business continuity and disaster recovery
- Business continuity plans (BCP) and disaster recovery (DR) for key PV functions and critical systems, with defined RTOs and RPOs.
-
Arrangements for QPPV continuity, access to ICSR data and critical documentation during disruption. Inspection evidence: BCP/DR plans, test records, alternate contact arrangements.
-
Product portfolio and national coverage
- Comprehensive list of medicinal products covered by the PSMF: product name, MA numbers, marketing status per Member State, local PV contacts and local PSMF pointers where relevant.
-
For groups of products (portfolio approach), mapping of specific PV processes to product sets. Inspection evidence: product list, MA information, product‑level SOPs or specific safety measures.
-
Performance metrics and improvement
-
PV KPIs and SLAs, periodic reports, trend analyses, and actions taken to address performance shortfalls. Inspection evidence: KPI reports, meeting minutes demonstrating review and improvement actions.
-
Appendices and index
- Index of annexes (see next section) and a change history log summarising revisions to the PSMF.
Required annexes (inspection‑oriented) EMA GVP expects a set of annexes to sit alongside the core PSMF. The annexes are privileged places for operational evidence and should be maintained as controlled documents. Typical annexes include:
- Annex A: QPPV identification
- Full name, professional qualifications, CV, contact details, copy of the QPPV nomination/appointment, evidence of resident EU contact (if applicable).
-
Inspection relevance: inspectors will verify QPPV identity and accessibility.
-
Annex B: Deputies and local PV contacts
- List of deputies with CVs, contact details and documented delegation of responsibilities.
-
Evidence of deputisation plans for absence scenarios.
-
Annex C: PV SOP index and controlled procedural documents
- Indexed list of current SOPs with revision numbers and location links.
-
Quick access to SOPs most likely needed during inspection (ICSR processing, expedited reporting, signal management, auditing).
-
Annex D: Product list and MA documentation
- Product inventory with MA numbers, national license status and pharmacovigilance contact points.
-
Copies or references to product information (SmPC) and risk‑minimisation measures where relevant.
-
Annex E: Safety database and IT system evidence
- System inventory, architecture diagrams, validation status, access control lists, interfaces and data flow diagrams, vendor contact details, data hosting locations, backup schedules.
-
Key validation reports and UAT sign‑offs.
-
Annex F: Contracts and PV agreements
-
Redacted copies of Master Service Agreements (MSAs), PV agreements or Delegation of Activities and Responsibilities (DARs), defined deliverables, SLAs and KPIs.
-
Annex G: Audit reports and inspection history
-
Internal and external PV audit reports, inspection reports, CAPA logs, closure evidence and management review outcomes.
-
Annex H: Training records
-
PV training curriculum, attendance records for key staff, induction training evidence for new PV personnel and vendors.
-
Annex I: Business continuity and disaster recovery
-
BCPs, DR test reports, QPPV continuity plans and evidence of alternate operating arrangements.
-
Annex J: Risk management and signal documentation
-
Signal detection policy, examples of signal files, safety committee minutes, PRAC/EMA interaction records.
-
Annex K: Delegation logs and organisational charts
-
Signed delegation of authority matrices, updated organisational charts.
-
Annex L: Data protection and confidentiality arrangements
-
Data processing agreements (DPA), information security certificates, privacy impact assessments where relevant.
-
Annex M: Local PSMFs and regional adaptations
- Pointers to local PSMFs maintained by affiliates, with a summary of deviations and local responsibilities.
Practical annex management - Keep annexes in the master PSMF repository; where large files are impractical, provide stable links and store a short evidence extract inside the PSMF (e.g., a signed page or index). - Ensure annexes are routinely reconciled to the core PSMF content with cross‑reference checks during each review cycle.
Maintenance checklist (inspection‑ready) Implement a documented maintenance process including both scheduled and trigger‑based updates. Maintain a checklist and evidence trail for each review. Example checklist items:
PSMF periodic review (minimum expectations) - Owner: nominated PSMF owner (usually Head of PV or delegate) with QPPV oversight. - Frequency: complete PSMF review at least annually; targeted topical reviews every 6 months or when indicated by triggers (see below). GVP advises updates to reflect the current PV system — frequency should be risk‑based and documented. - Review activities: - Verify organisation chart, QPPV/deputy details and contact information. - Reconcile product list and MA status across Member States. - Confirm current SOP index and revision status. - Confirm validation and status of critical IT systems and backup arrangements. - Review audit findings and CAPA status; update annexes accordingly. - Verify contracts and vendor oversight records are current. - Confirm BCP/DR plans and evidence of recent tests. - Ensure training records for key personnel and vendors are up to date. - Evidence required: signed review log with date, reviewer name, summary of changes, cross‑references to amended documents, version history entry.
Triggers for immediate (ad‑hoc) update - QPPV or deputy changes, including contact and appointment evidence. - Major organisational change affecting PV responsibilities (outsourcing, M&A). - Transfer or change of safety database or other critical IT systems. - New product licence, termination or significant change in product portfolio. - Major audit finding or regulatory inspection outcome requiring PSMF amendments. - Data breaches or business continuity events affecting PV operations. - Legal or regulatory changes requiring changes to PV procedures.
Change control and documentation - Every change to the PSMF must be executed under a formal change control procedure: - Description of change, reason, impact assessment, affected annexes/sections. - Review by functional SMEs (PV operations, QA, Regulatory, IT, Legal as needed). - QPPV or authorised delegate sign‑off. - Entry into the version history with timestamp, approver, and summary. - Archive previous version(s) according to document retention policy.
Version control practices (inspection‑focused) A consistent, auditable version control approach is essential. Implement and document these practices:
- Unique version identifiers
- Use a structured version number scheme (e.g., vYYYY.MM.DD or vMajor.Minor) that is also reflected in the file metadata and PSMF header.
-
Record change summary, author, reviewers, approvers and effective date in a dedicated change history section at the front of the PSMF.
-
Document approval workflow
- Changes require review by named SMEs and formal sign‑off by QA and the QPPV (or designated delegate).
-
Maintain digital signatures or documented sign‑off emails as audit evidence.
-
Controlled repository and access controls
- Store the live master PSMF within the organisation’s controlled document management system (DMS) with version and access control.
- Read‑only snapshots for inspection or distribution; do not distribute working copies that cannot be reconciled.
-
Logging and audit trail of access, modifications and exports.
-
Archival and retention
- Retain prior versions for the period required by regulatory obligations (commonly for the life of the marketing authorisation plus the defined retention period).
-
Keep a readily accessible index of archived versions and reason for each change.
-
Publication of local (read‑only) PSMFs
- Where local PSMFs exist (national or affiliate variations), maintain a linked summary in the master PSMF and a cross‑reference table of differences.
Governance and roles Clear governance ensures the PSMF accurately reflects the PV system and that responsibilities for maintenance are enforced.
QPPV responsibilities - The QPPV is ultimately accountable for the effectiveness of the pharmacovigilance system and for ensuring the PSMF accurately describes that system. - The QPPV must be aware of the PSMF content, able to access it promptly during inspections and be able to explain how the documented system operates in practice. - The QPPV is the authorised signatory for PSMF approval and must ensure evidence of delegation when responsibilities are delegated.
Corporate governance - Define a PSMF governance committee or designate an owner responsible for coordination (Head of PV or Quality). - Define roles for cross‑functional contributors: Regulatory Affairs (MA status and product info), IT (systems and validation), Legal (contracts and data protection), QA (audit and CAPA), Commercial/Local affiliates (country‑specific PV arrangements). - Establish regular governance touchpoints (quarterly PSMF review or PV governance board) to ensure alignment and escalation of issues.
Vendor oversight governance - Maintain a register of PV vendors with evidence of due diligence, contracts, SLA/KPIs and a schedule of oversight activities (audits, scorecards). - For critical vendors (safety database, call centres), ensure documented continuity plans, access arrangements, and direct QPPV access to data where required.
Inspection readiness — what inspectors expect Inspectors will use the PSMF to understand the PV system quickly and as a roadmap to request documentary and operational evidence. Key inspection expectations include:
- Accessibility: The inspector must be able to locate the PSMF (physical or electronic) and identify the QPPV without delay. Provide a clear guide page with repository location, contact details and inspection process owner.
- Currency: The PSMF must be up to date; inspectors commonly check recent organisational changes, QPPV and deputy appointments and the current status of the safety database.
- Traceability: Inspectors will trace statements in the PSMF to supporting evidence (SOPs, contracts, validation reports, audit reports). Ensure direct links or reference pages are available and that annexes contain the required evidence.
- Consistency: Inspectors cross‑check the PSMF against operational practice. Discrepancies (e.g., SOP superseded but not updated in PSMF) are a common source of findings.
- Business continuity: Inspectors will verify arrangements for continuity of PV activities and accessibility of critical data during disruption, and whether the QPPV’s responsibilities can be fulfilled in adverse scenarios.
- Vendor oversight: Inspectors review evidence that MAHs supervise outsourced PV activities adequately — contracts, KPIs, audit reports and CAPA evidence must be readily available.
- System validation: For safety databases and other critical IT systems, inspectors expect to see system validation status, change logs and evidence of data integrity controls.
Practical implementation: building an inspection‑ready PSMF Architecture and repository - Master copy: a controlled, read‑only “master PSMF” within a validated DMS, with read/write access restricted to authorised document owners. - Live evidence library: annexes stored in a secure file repository with stable identifiers; ensure that large annexes (e.g., full safety database validation reports) are available as indexed extracts with full documents accessible upon request. - Remote inspection pack: maintain a pre‑prepared, versioned remote inspection pack (RIP) that contains the PSMF and the most frequently requested annexes, with a manifest and approved export stamp. Update the RIP following each major PSMF revision.
Templates and cross‑references - Use controlled templates for the PSMF and for annexes to ensure consistent formatting and to avoid missing information. - Implement a cross‑reference table mapping PSMF sections to SOPs, annexes and system records (quick lookup table for inspectors).
Change validation and impact assessment - For any change that affects PV operations, perform an impact assessment that includes implications for the PSMF and annex content. Record completed assessments and updates as part of change control.
Inspection simulation and readiness testing - Regularly perform internal PSMF audits and “inspection readiness drills” that test the ability to locate and present PSMF sections and annexes within a defined timeframe. - Include mock queries from inspectors (e.g., provide a statement and ask the PSMF owner to produce supporting evidence within 24 hours).
Sample index for inspectors (quick access) - QPPV CV and appointment letter. - Current organisational chart and delegation log. - SOPs: ICSR processing, expedited reporting, signal management, audit and CAPA. - Safety database vendor MSA and validation summary. - Recent internal PV audit report and open CAPAs. - BCP/DR plan and recent test report. - Product list with MA numbers.
PSMF maintenance KPIs Suggested KPIs to demonstrate governance and continuous improvement: - PSMF review completion rate (on time vs scheduled). - Number of PSMF discrepancies identified during internal checks or inspections. - Percentage of annexes reconciled during each review cycle. - Time taken to assemble remote inspection pack. - Time to provide requested PSMF evidence during an inspection.
Inspection evidence trail (minimum) For inspection readiness, maintain a clear evidence trail for each PSMF change: - Change request record. - Impact assessment. - SME review comments. - QA and QPPV approvals. - Version history entry with effective date and distribution list. - Archived prior version(s) with reasons for change.
Data protection and confidentiality considerations - Ensure that annexes and PSMF content do not disclose identifiable patient data; where excerpts of case reports are necessary, apply appropriate redaction according to data protection and confidentiality policies. - Maintain DPAs and ensure vendor hosting locations and cross‑border data transfers are documented.
Annex quick‑reference checklist (for immediate use) - QPPV and deputy CVs and appointment letters — present and dated. - Organisational chart — current and signed. - Product list and MA details — reconciled to regulatory registry. - SOP index — includes revision numbers and effective dates. - Safety database evidence — vendor contact, validation summary, UAT dates. - Contracts and PV agreements — signed copies or redacted versions showing PV clauses. - Recent PV audit report and CAPA log — with closure evidence for older actions. - BCP/DR documentation and test evidence — recent test results. - Training records for PV staff and key vendor personnel. - Change history and version control log — complete for last 12 months and summary for earlier years.
Inspection scenarios and rapid response - On receipt of an inspection notification, designate a PSMF inspection lead (single point of contact) who coordinates document access, logs requests and ensures secure transfer. - For on‑site inspections, prepare a locked, read‑only copy of the master PSMF and the agreed annexes; ensure named contacts are briefed and present. - For remote inspections, use the pre‑prepared Remote Inspection Pack and a secure file transfer mechanism; maintain an activity log of queries and responses.
Concluding governance note The PSMF is both a descriptive and governance instrument: it must accurately portray how the pharmacovigilance system operates and provide inspectors with direct, verifiable pathways to evidence. Effective PSMF oversight combines disciplined document control, cross‑functional ownership, robust vendor governance and demonstrable QA oversight. The QPPV’s oversight role is central — the QPPV must be able to attest that what is described in the PSMF is the system that operates in practice.
Referenced regulatory citations - EMA, Guideline on Good Pharmacovigilance Practices (GVP) — Module II: Pharmacovigilance System Master File (PSMF). European Medicines Agency. - EMA, Guideline on Good Pharmacovigilance Practices (GVP) — Module I: Pharmacovigilance systems and their quality systems. European Medicines Agency. - Directive 2001/83/EC as amended (including Directive 2010/84/EU) — Community code relating to medicinal products for human use. - Regulation (EU) No 1235/2010 and Directive 2010/84/EU — strengthened pharmacovigilance legislation. - ICH E2E — Pharmacovigilance Planning (where relevant to product‑level PV planning). - National competent authority guidance and inspection manuals (as applicable per Member State).
Related Guides - What is a QPPV? - QPPV Responsibilities - EU QPPV Requirements
Last reviewed: June 2026