PSMF Vendor and SDEA Management

Introduction

Modern pharmacovigilance systems rarely operate entirely in-house.

Many organisations outsource activities such as:

• Case processing
• Literature surveillance
• Aggregate reporting
• Medical review
• Signal management support
• Safety database hosting

As outsourcing increases, governance becomes more complex.

Regulators recognise this reality.

Consequently, inspectors frequently review how organisations manage outsourced pharmacovigilance activities and how those arrangements are reflected within the Pharmacovigilance System Master File (PSMF).

The existence of a vendor relationship is rarely the primary concern.

The primary concern is whether accountability, oversight and compliance remain effective.

A Fundamental Regulatory Principle

One of the most important principles in pharmacovigilance is:

Outsourcing activities does not outsource responsibility.

Even when a vendor performs pharmacovigilance activities, the Marketing Authorisation Holder remains accountable for regulatory compliance.

This principle drives many inspection expectations.

It also explains why vendor inventories and oversight arrangements are prominent components of many PSMFs.

Why Vendors Matter Within the PSMF

The PSMF aims to describe how the pharmacovigilance system operates.

If a vendor performs part of that system, inspectors need visibility regarding:

• Which activities are outsourced
• Which vendor performs them
• How oversight is maintained
• Who retains accountability

Without this information, the PSMF cannot accurately describe the pharmacovigilance system.

Vendor Inventories

A vendor inventory is often one of the most important annexes within the PSMF.

Its purpose is simple:

Provide visibility regarding outsourced pharmacovigilance activities.

A mature inventory commonly includes:

The exact structure varies between organisations.

The objective remains the same.

Visibility.

Which Vendors Should Be Included?

A common question is:

Which vendors belong in the inventory?

A practical approach is:

Include vendors that perform activities capable of affecting pharmacovigilance compliance.

Examples include:

• Case processing providers
• Literature monitoring vendors
• Safety database providers
• Call centres
• Medical information providers
• Signal management vendors
• Aggregate reporting support providers

When in doubt, organisations should consider whether the activity could affect patient safety or regulatory compliance.

Vendor Classification

Mature organisations frequently classify vendors according to risk.

Examples include:

Critical Vendors

Failure could directly affect compliance.

Examples:

• Safety database providers
• Case processing vendors

Major Vendors

Important but less critical.

Examples:

• Literature monitoring providers
• Medical information providers

Minor Vendors

Limited impact on compliance.

Classification helps prioritise oversight activities.

Safety Data Exchange Agreements

Many outsourced activities require formal agreements.

One of the most important agreement types is the Safety Data Exchange Agreement (SDEA).

SDEAs help define:

• Responsibilities
• Reporting timelines
• Escalation pathways
• Data exchange requirements
• Compliance expectations

The objective is clarity.

A strong SDEA reduces ambiguity regarding pharmacovigilance responsibilities.

For additional information see:

[[what-is-a-sdea]]

Why SDEAs Matter

Many pharmacovigilance failures occur because responsibilities are unclear.

Examples include:

• Delayed reporting
• Duplicate reporting
• Missing follow-up
• Escalation failures

Well-constructed agreements help prevent these issues.

Inspectors therefore frequently review SDEAs when evaluating outsourced activities.

The Relationship Between Vendor Inventories and SDEAs

The inventory answers:

Who performs the activity?

The SDEA answers:

How is the activity governed?

Both are required.

A vendor inventory without agreements provides limited oversight information.

An agreement without inventory visibility creates governance gaps.

Together they provide a more complete picture.

Oversight Responsibilities

Vendor management extends beyond contract execution.

Effective oversight generally includes:

• Performance monitoring
• Governance meetings
• KPI review
• Deviation management
• Audit activities
• CAPA oversight

Inspectors often focus more on these activities than on the agreements themselves.

How Inspectors Assess Vendor Oversight

Inspectors frequently explore questions such as:

• Which vendors perform pharmacovigilance activities?
• How are they monitored?
• How are issues escalated?
• How is performance assessed?
• How does the QPPV maintain visibility?

These questions help inspectors evaluate whether outsourced activities remain under control.

Common Inspection Findings

Several findings appear repeatedly.

Missing Vendors

A vendor performs activities but does not appear in inventories.

Outdated Inventories

Former vendors remain listed.

New vendors are absent.

Weak Oversight

Agreements exist but oversight evidence is limited.

Unclear Responsibilities

Responsibilities are poorly defined.

Missing SDEAs

Activities occur without adequate agreements.

These findings often indicate broader governance weaknesses.

Vendor Governance Framework

A practical governance model often includes:

Identification

Identify all vendors performing PV activities.

Classification

Assess criticality and risk.

Contracting

Execute appropriate agreements.

Oversight

Monitor performance and compliance.

Review

Periodically reassess risk.

Termination

Manage vendor exits appropriately.

The strongest organisations apply this lifecycle consistently.

The QPPV Perspective

For QPPVs, vendor inventories often provide a rapid assessment of pharmacovigilance complexity.

Questions include:

• How many vendors exist?
• Which activities are outsourced?
• Which vendors are critical?
• Which oversight mechanisms exist?

Reviewing the inventory often reveals risk concentrations quickly.

For additional discussion see:

[[psmf-qppv-oversight]]

Vendor Risk Indicators

Certain patterns should attract attention.

Examples include:

Single Vendor Dependency

One vendor performs multiple critical activities.

High Vendor Turnover

Frequent changes may increase risk.

Limited Oversight Resources

Numerous vendors with minimal governance support.

Repeated Deviations

Persistent quality issues.

These indicators often warrant enhanced oversight.

During Inspections

Inspectors commonly compare:

• Vendor inventories
• SDEAs
• Audit records
• Governance records
• Operational activities

The objective is to verify that outsourced activities remain effectively controlled.

Strong documentation significantly simplifies this process.

Characteristics of a Mature Programme

High-performing organisations typically demonstrate:

• Accurate inventories
• Current agreements
• Defined ownership
• Risk-based oversight
• Effective governance
• Active QPPV visibility

Importantly, these activities occur continuously rather than only before inspections.

Key Takeaways

• Outsourcing activities does not transfer regulatory responsibility.
• Vendor inventories are a critical component of many PSMFs.
• SDEAs define responsibilities and governance expectations.
• Vendor oversight requires ongoing monitoring and review.
• Inspectors focus heavily on outsourced pharmacovigilance activities.
• Accurate inventories and current agreements support inspection readiness.
• Mature organisations treat vendor governance as a continuous activity rather than a contractual exercise.

References

1. EMA Good Pharmacovigilance Practices (GVP) Module I – Pharmacovigilance Systems and Their Quality Systems.
2. EMA Good Pharmacovigilance Practices (GVP) Module II – Pharmacovigilance System Master File.
3. EMA Good Pharmacovigilance Practices (GVP) Module III – Pharmacovigilance Inspections.
4. Regulation (EC) No 726/2004.
5. Directive 2001/83/EC.
6. Commission Implementing Regulation (EU) No 520/2012.
7. EMA Questions and Answers on Pharmacovigilance System Master Files.