Is It Safe to Outsource Safety?


Applied Clinical Trials

Applied Clinical TrialsApplied Clinical Trials-10-01-2010
Volume 0
Issue 0

Knowing when to outsource and when to conduct pharmacovigilance in-house is a crucial decision.

Related Articles

Pharmacovigilance: A Company-Wide Challenge

Clinical Trials and Statistical Tribulations

Ominous Clouds Over Outsourcing

Pharmacovigilance (drug safety) is a cornerstone activity for any pharma company, or indeed anyone conducting clinical studies on patients within academia.

The need to operate a system of pharmacovigilance, which is both compliant to the multinational (and varied) regulations and the highest principles of patient protection, means that sometimes companies are placed in the dilemma of having products in development or on the market which do not generate many adverse events (side effects) but when they require experienced individuals to assess such reports to determine whether the reported events are indeed causally related to the company's product, their seriousness, and whether such events are known already to occur with the product (expected or unexpected).

Once the above assessment has been performed, the company must determine who needs to know about the adverse reaction (e.g. regulatory authorities); whether the current labeling for the product (summary of product characteristics; product monograph; patient leaflet; investigator brochure) suffices or needs revision, and probably most importantly of all—can the adverse reaction be minimized or prevented from occurring in the first place (risk management strategies).

All of the above require highly skilled and experienced individuals to perform such assessments with possible sophisticated (i.e., expensive) safety databases to record and report such events.

No company can afford to have such individuals or equipment sitting and waiting for such events to occur, especially if the company has few products and reactions reported to it—so what is the answer? Is it safe to outsource safety?

The basics

For companies with products in development, or for products that already have licenses (sometimes called marketing authorizations or license holders) it is legally required to have a system in place to capture; assess; and if required, report all adverse reactions that are reported to the company to the regulatory authorities. The company (in clinical trials referred to as the sponsor) must alongside the reporter make their own assessment of the seriousness, expectedness (is it in the labeling or investigator brochure), and causality of all reported events as well.

The method of onward reporting from the company to various individuals (regulatory authorities and ethics committees) may be in paper format or may be legally required to be submitted in a specific electronic format.

Additionally, and periodically, the sponsor may have to provide submissions to the regulatory authorities—annual safety reports in clinical trials or more frequent post marketing reports: Periodic Safety Update Reports (PSURs)—looking at all of the adverse reaction data between two time points and assess the overall benefit/risk ratio of the product to determine whether it is still favorable to provide such medicines to the intended patient population.

Therefore, it is important for the company to have available trained safety professionals: safety scientists, pharmacists, and physicians knowledgeable in the area of pharmacovigilance to provide such assessments.

Additionally, the company needs a checklist (Table 1) of what needs to be performed before it can determine the suitability for any third-party provider assuming the company's role for safety activities.

Table 1. A company needs a checklist of what needs to be performed before determining the suitability of any third-party provider assuming the company’s role for safety activities.

The list in Table 1 is not exhaustive but provides some of the key activity requirements of a license holder or sponsor.

Looking at such a comprehensive set of requirements means that the provider of such services has to have individuals suitably trained in these areas; standard operating procedures (SOPs), to explain how such activities are performed; and evidence that the system is operating as stated and complies with the necessary legislation.

Ultimately, in any situation where the safety aspects for the company's product (investigational or marketed) have been outsourced to a contracted company (CRO), the responsibility and accountability rests with the sponsor (in clinical trials) and the license holder (for all marketed products).1

It may seem unfair that the company (in good faith) has approached the specialists in order to ensure compliance to safety legislation, but in Europe and the United States, the legislation is quite clear, the license holder or sponsor carries ultimate responsibility for patient safety.

This means any outsourcing of safety should be viewed as an intimate partnership—a marriage. Non-communication is not an option. Outsourced does not mean out of mind.

The only way both parties will get the most out of such a union is through active dialogue: an understanding of what is required of both parties; regular reviews (teleconferencing and face-to-face) to ensure everything is working as it should be; and most importantly, evidence (meeting notes and action items including possible sign off) of such communication.


Compliance monitoring is required by legislation to ensure the company is reporting accurately to the various regulatory agencies, in the correct timelines, in the correct format, and with the acceptable and appropriate signatories. All of these require a system to be in place (as well as specific SOPs) that will enable the various regulatory outputs to be monitored for compliance and quality.

Therefore, the CRO should provide the company with evidence that it has performed everything within the regulatory time frames on a periodic basis so that the company has surety of compliance.

Any instances of non-compliance need to be investigated by both parties to ensure it cannot occur again. The company needs to be active in this area as well, especially if the reason for late submissions is because one of their marketing partners is providing information that is late and therefore placing the company's compliance in jeopardy.


The only way to know whether the provider of safety information is capable of performing the tasks that you want is to audit them. But, how can you audit them when you may not have the internal expertise to do so? There are a number of possibilities.

There are many individuals who perform regular audits on behalf of companies, trained in pharmacovigilance, who understand what needs to be in place. These individuals can perform the audit on behalf of the company, to ensure that the company has a report regarding the capability of the proposed pharmacovigilance supplier. The report should detail the extent of any deviation (critical, major, or minor) from legislation, from the processes described by the CRO and the company's training records concerning staff training and competency.

Some providers may also have their own audits performed upon themselves as part of their own quality management activities. These involve the provider (CRO) getting external pharmacovigilance auditors to audit their systems (or a separate QA department with pharmacovigilance expertise in their own company) in order to determine whether the systems, training, and documentation are robust enough.

The CRO should make the findings available to clients, or proposed clients, to provide confidence that the CRO has the appropriate systems in place. Naturally, there will be some findings from any audit. But they should never be critical failures from CROs claiming to be the experts.

Lack of any audit by the company is not viewed favorably by the regulatory agency, but using the company's external quality management system as an approach to decide to use their services or an audit from an experienced provider is acceptable. Such audits should not be performed once and forgotten, repeat at least every two years.

Once an audit has been performed and was successful in terms of the findings and any corrective items addressed as a result of an audit, the path is clear to appoint the CRO.

The contract

As is often said, "the devil is in the detail." This is true concerning the contract between the company/sponsor and the CRO. There are legal elements in every document concerning terminations; judicial aspects; confidentiality; etc., as well as the financial elements, but predominantly the contract has to focus upon what do you expect the CRO to do?

The contract has to provide the checklist of what the company wants the CRO to do, this may be all of the pharmacovigilance (and medical services) or parts of it. The contract will be used by the regulatory agency when they inspect the company, looking to see what the CRO was responsible for and what the company was supposed to do, making their findings known based upon who was responsible.

Equally, in any audit of the CRO, it is the proposed contract that should be used for the audit because it details the expectations and services to be provided.

Within the contract, there may be elements that are nice to have as opposed to must have—because the regulations state so. Therefore, in Europe there is one individual that is responsible for the oversight of the pharmacovigilance system, in legislation this person is referred to as the EU Qualified Person for Pharmacovigilance (EUQPPV). This is a must have for all license holders in the EU. Also, the EUQPPV must be "trained in all aspects of pharmacovigilance." This is not an option and not a position a company should attempt to support by itself. If the company does not have such an individual working for it, asking someone to take on this role is not correct. The EUQPPV must be registered with the Regulatory Agencies too. The EUQPPV also has to have available a suitably qualified deputy. The contract should clearly state who covers which activities, and should specify what products are covered by the agreement and the current status with regard to license submissions.

In Europe it is mandatory to report adverse reactions electronically, whereas in the United States this is not yet mandated but encouraged. Likewise, reporting adverse reactions in Japan is required to be in electronic format and mandatory.

Regulators in inspections make no differentiation between generic companies, herbals, over-the-counter, or innovator companies. The level of compliance to the legislation and the processes to report and assess potential safety issues with the products is the same. The contract is an essential element of this and would cover all of this for the various company product portfolios.

Advanced aspects

Large companies versus small companies. Large companies with extensive product portfolios tend to have their own safety systems in place but still require from time to time, additional resources for specific projects: data entry and case processing, PSUR writing, risk management activities, temporary cover for maternity leave, secondments to other affiliates, etc.

Since this is more person oriented rather than process, the key element here is can the person perform the required task(s)? Are they trained already to perform these activities?

This is where the CRO should be able to provide a copy of the person's training record to demonstrate their experience in the area they are being asked to perform. Copies of such training should remain with the company, together with any additional training on company processes in order to perform the activities the way the company does.

Additionally, companies may outsource some of their safety to a CRO because they have old products that do not generate much safety work but still require management. Some of the safety for a company's products is fully outsourced to a CRO allowing the existing pharma staff to focus their energies on new product launches that due to a lack of time have been marketed or the full safety profile has not been established because of low patient exposure.

Equally, before outsourcing to the CRO, another aspect to competency has to be considered: capacity. Can the CRO cope with the new workload being provided to them? No one likes to say no to new business but there has to be an appreciation of competency and capacity. If capacity is exceeded, competency declines.

Therefore, for any outsourced activities the company has to be clear on whether this will now exceed the capabilities of the CRO.

Multinational companies versus national companies. Which is bigger: the company with 30 products in one country or the company with five products in six countries?

It would have to be the latter. For each country there may be different reporting requirements, other affiliates or marketing partners, multiple PSUR submissions to different countries requiring different presentation.

The company with products in one country alone has only one set of regulations to follow, the contact points are easier, and there is only one language used. Multinational companies require more management of the processes and the safety reporting elements as well as possible translation requirements. It is important to understand the contract. Where are these products marketed and by whom? Many countries differ in their safety reporting requirements.

Again, for calculating capacity (as well as compliance), the more multinational the company's products, the more potential for safety reporting errors. You need to choose a CRO that has multinational safety reporting expertise.

The marriage of the company and the CRO

Once the contract has been signed and the activities begin between the company and the CRO, we find out if it was a marriage of convenience or a true partnership. A convenience relationship is one where the company allows the CRO to perform all of the safety activities but neither monitors or provides any input into the activities or information generated from the CRO.

Since safety and safety compliance is a critical aspect of a company's activities, and if done improperly can result in it receiving fines and license suspensions, this approach would be wholly unacceptable to the regulatory inspectors.

Instead the regulators would be looking for the fully engaged partnership approach to safety where the company is kept fully updated by the CRO against any emerging safety issue together with checking the compliance to ensure that all safety submissions to the regulatory agencies have been provided according to national regulations. The regulators would be looking for safety reviews jointly signed by the license holder and the CRO showing that there had been understanding of what had been identified, a plan of what to do next, and an execution of that plan. It also provides the company with full transparency concerning the safety activities and compliance.

The regulators would then be satisfied that there was a full partnership between the company and the CRO and there had not been a divorce between both parties, both working in isolation and not sharing any potential safety problems and working out possible solutions.

When safe may become unsafe for outsourcing

During any life cycle of a contract, due to changes in circumstance, what at one point in time was "safe" to perform activities in a certain way now becomes "unsafe."

Company product portfolio. The company acquires more and more products in more and more countries (either through new licenses or the acquisition of products from other companies or company takeovers). This means the workload on the CRO grows dramatically, and as a result, capacity is exceeded. Unless the company can plan ahead to warn the CRO of the potential increase, then the CRO may not have the internal staff required to cope with the increase.

Equally, as the company grows in size a threshold will be reached when the size of the product portfolio and the number of countries the products are in will exceed the cost effectiveness of outsourcing.

What does this actually mean? Well, in the beginning, the company generated little safety because it had few products in few countries, with the result that to employ its own people to perform such activities would be inefficient from a cost point of view because they would have individuals sitting around waiting for an adverse event report to come into the company.

The threshold for bringing pharmacovigilance into the company may then be determined by:

  • Number of products

  • Number of products in development

  • Number of countries that market the product(s)

  • Type of products the company has (over-the-counter versus oncology products)

  • Number of adverse events received by the company

  • Type of adverse events received (serious or non-serious)

  • Amount of follow up of adverse events required

  • Number of PSURs to write

  • Number of products with risk management plans

  • Amount of staff requiring pharmacovigilance training

As the number of reports; the volume of safety processing; safety analysis; and periodic submissions increase, individuals would be fully employed dealing with such data. When this occurs (from a cost perspective alone) it may be more appropriate to bring this in-house. Such a transition would not happen overnight, there would need to be a coordinated hand over during this period to ensure that all activities were still conducted in a compliant manner.

The CRO can still work with the client on an on-going basis because there are many external activities (such as audits of affiliates or marketing partners) that are necessary to perform without removing staff from their daily activities. Additionally, support during staff holidays, etc. can still be supplied by the CRO. From a company risk perspective, as the portfolio of products and countries marketed increases, the potential risk to the company may increase as it is not in control of its own data. Although there are various systems, which can be put in place to ensure that such information can be shared, the company may realize that it is better to be closer to the safety data than have it based externally.

The company mantra

Many small- to medium-sized companies operate under the philosophy of "virtual" services, a valid approach to a number of aspects of the company's work (e.g., regulatory, clinical, pharmacovigilance, and medical services). The company may also have a philosophy of establishing itself in strategic marketplaces that will make the company attractive to purchase by another pharma company or as a development company to develop a product in clinical trials to a certain stage and then look for a development partner.

Under these situations, "virtual" becomes another attractive proposition for outsourcing because it is not building a redundant system. Once the takeover or merger has happened the staff and any systems (e.g., safety databases) will not be required. This model is the correct approach.

If, however, the company changes its philosophy and decides to enlarge and develop further then the question of when (rather than if) to bring pharmacovigilance in-house will be raised again and the company must have a rationale for how it will determine the point at which it will need to conduct safety internally.

This has to be governed to some extent by the potential safety risks the company's product portfolio has for patients together with the cost implications of continual outsourcing.


There is no mathematical formula to work out at what point a company should seriously look to conduct pharmacovigilance in-house.

A company with 200-marketed products with licenses in 40 countries worldwide should have at least a good proportion of its pharmacovigilance conducted internally to demonstrate oversight of the safety of its products. Section 1.3 of Eudralex, volume IXa (September 2008) for Europe states:

A Marketing Authorization Holder [MAH] may transfer any or all of the pharmacovigilance tasks and functions, including the role of the QPPV, to another person(s) or organization, but the ultimate responsibility for the fulfilment of all pharmacovigilance obligations and the quality and integrity of this always resides with the Marketing Authorization Holder.

The same holds true for US regulations2, where although an individual is not cited, the license holder is responsible for ensuring compliance and any service provider would also be cited alongside.

Therefore, although pharmacovigilance may be outsourced to a CRO, the ultimate responsibility for the safety of the license holder's products rests firmly with the license holder (MAH).

A company with 20 products in a few countries, which generate very few adverse events (mostly non-serious), can feasibly outsource pharmacovigilance to a CRO.

There will always be "gray areas" of companies that fit somewhere in-between these kind of product numbers and amount of safety reporting. For these companies, demonstration that they were involved in the safety assessments and kept routine monitoring of the CRO in terms of compliance and safety analysis will ensure that when inspected by the regulatory agencies they can demonstrate responsibility to manage the safety of their products and remain compliant. Under these circumstances, the demonstration that the company has engaged with the CRO to produce safety compliant systems is the aspect the regulatory authorities want to see to ensure patient safety remains the goal of all parties.

Graeme Ladds, PhD, is Director at PharSafer Associates Ltd., 29 Frederick Sanger Road, Guildford, Surrey GU2 7YD, UK, e-mail:


1. Eudralex, Pharmacovigilance for Medicinal Products for Human Use, Volume IXa (Sept 2008).

2. Food and Drug Administration, Code of Federal Regulations, Title 21, 310.305, 314.80, 314.98, and 610:80.

Related Content
© 2024 MJH Life Sciences

All rights reserved.