Auditing of safety databases can be a complex proposition for many of us. Assessing safety requirements is one major part of it; the added complexity of understanding the database build, the technology involved and the controls around it are the other major part of the audit. It requires a balance between understanding safety requirements and the technical infrastructure that supports them. Safety databases, especially in the pharmaceutical and healthcare industries, manage large volumes of sensitive data, including adverse event reports, product complaints and regulatory compliance information. As regulations evolve, the importance of effectively auditing these databases has grown, making the role of auditors vital in ensuring compliance, data integrity and system security. During auditing of safety databases, auditing the technology, understanding the workflow and the process controls are key. Elements of the database build and how the documentation for the database is organised is a factor that cannot be ignored. In addition, the aspects of access control, network security and how the application sits within the framework are important factors to evaluate.
KEY CHALLENGES IN AUDITING SAFETY DATABASES
Auditing safety databases can present several challenges (see Figure 1), including:
1. Technical Complexity: understanding the underlying technology, including how the database is built and how it interacts with other systems, requires specialised expertise.
2. Large Data Volumes: safety databases contain vast amounts of data, making it difficult to thoroughly review and verify all records within a limited timeframe.
3. Evolving Regulations: constantly changing pharmacovigilance and data privacy regulations, such as the European Medicines Agency (EMA) Good Pharmacovigilance Practices (GPvP) and GDPR, add layers of complexity.
4. Data Privacy Concerns: the sensitive nature of safety data requires strict adherence to privacy regulations, ensuring that Personally Identifiable Information (PII) is protected. 5. Limited Access: auditors often have restricted access to database functionalities, making it challenging to perform a comprehensive audit without collaboration from the IT department.
6. Implementation of New Technologies: there are recent trends that indicate a global rise and shift of industry towards new technological advancements. This further adds to the complexity for understanding requirements specific to these advanced technologies.
7. Need for Specialised Expertise: a safety database audit requires a mix of pharmacovigilance, regulatory compliance and IT security knowledge.
8. The Configuration of Safety Database Platforms adds an Additional Layer of Complexity: a safety database is highly configurable to meet specific regulatory and operational needs, but this flexibility can lead to inconsistencies or misconfigurations if not properly managed. Auditors need to ensure that the system is correctly setup to handle case processing, reporting workflows and regulatory requirements across different regions. Evaluating system validation, user access controls and data integrity within the safety database environment is critical but can be challenging due to its technical depth and customisation options.
‘As regulations evolve, the importance of effectively auditing these databases has grown, making the role of auditors vital in ensuring compliance, data integrity and system security.’
Let us start with what a global safety database is. A global safety database, especially in the context of pharmaceuticals and medical devices, is an essential system used to collect, manage and analyse safety-related information. Its primary function is to support the pharmacovigilance process, ensuring that any potential safety risks or adverse events related to a product are identified, assessed and addressed in compliance with regulatory standards. In a pharmaceutical setting, such a database centralises the storage of safety data from various sources, including clinical trials, post-market surveillance and spontaneous adverse event reports. It enables companies to track Adverse Drug Reactions (ADRs) and safety issues across different regions, supporting a unified global approach to managing drug safety. Key components of a global safety database include (see Figure 2):
1. Centralised Data Repository: all safety-related data, from clinical trials to post-marketing reports, is consolidated in one system, providing a single source of truth for safety information.
2. Adverse Event Management: the database facilitates the processing, evaluation and classification of adverse event reports. This includes tasks such as coding medical terms using standardised vocabularies like MedDRA (Medical Dictionary for Regulatory Activities) and conducting signal detection to identify trends or unexpected risks.
3. Risk Assessment and Management: plays a critical role in monitoring and mitigating risks by continuously analysing data to detect any safety signals that may indicate emerging concerns with a product.
4.Regulatory Compliance: the system is designed to ensure that companies adhere to safety reporting requirements imposed by regulatory agencies such as the Food and Drug Administration (FDA), European Medicines Agency (EMA), and International Council for Harmonisation (ICH). It automates and streamlines the submission of Individual Case Safety Reports (ICSRs) and Periodic Safety Update Reports (PSURs/PADERs).
5. Global Accessibility and Collaboration: a global safety database is accessible by various stakeholders worldwide, allowing pharmaceutical companies, regulatory bodies and healthcare providers to access safety data in real time. This facilitates collaborative efforts in monitoring and improving product safety.
6. Advanced Reporting and Analytics: the system often includes tools for performing complex data analysis, visualisation and reporting, which help in detecting trends, assessing safety signals and making informed decisions regarding product safety.
‘Of the respondents who were using or exploring AI or ML technologies, 43% were doing this for the collection and collation of adverse drug reactions, including medical information and product quality.’
TECHNOLOGIES AND TRENDS IN SAFETY DATABASES
During the 2024 GPvP symposium, delegates were live polled on the use of AI within their organisations, with fascinating results. It was noted that 27% of respondents’ organisations were currently using AI or machine learning (ML) technologies for the conduct of pharmacovigilance tasks. 44% of respondents’ organisations were currently exploring or developing AI or machine learning technologies for the conduct of pharmacovigilance tasks. Of the respondents who were using or exploring AI or ML technologies, 43% were doing this for the collection and collation of adverse drug reactions, including medical information and product quality. This data represents the increasing technological advancements and trends that are used in safety databases. Organisations are focussed on some of the following key advancements:
1. Cloud-based Systems: many organisations are adopting cloud-based safety databases for scalability, flexibility and remote access.
2. Artificial Intelligence (AI) and Machine Learning (ML): these technologies are being used to enhance signal detection, automate routine processes and predict adverse events more accurately.
3. Integration with Electronic Health Records (EHRs): safety databases are increasingly integrated with EHR systems to streamline the reporting of adverse events directly from healthcare providers.
4. Blockchain for Data Integrity: blockchain technology is being explored to enhance the security and integrity of safety data, ensuring that it cannot be tampered with or altered.
Let us look at the data flow within the safety database before we start into how to audit the data. Pharmacovigilance data flow in the global safety database typically follows the following steps: The general workflow of a pharmacovigilance database is described below (see Figure 3):
1. Data Collection: gathering information on the substance and its use is the first stage. This includes details regarding the medication’s active ingredients, dosage, delivery method, indications and contraindications. Clinical trials, post-marketing research, impromptu accounts from patients and healthcare professionals and published literature are just a few examples of the many sources from which data can be gathered.
2. Data Entry: the obtained data must be placed into the pharmacovigilance database. The data is normally verified for accuracy and completeness by experienced professionals.
3. Case Processing: the data is processed into individual safety cases, which include information such as patient demographics, the product(s) involved, adverse event(s) and any concomitant medications.
4. Medical Coding: the safety case information is coded using standardised medical terminology, such as the Medical Dictionary for Regulatory Activities (MedDRA) coding system.
5. Signal Detection: after the data has been stored in the database, signal detection methods are utilised to find potential safety concerns or ‘signals’. These algorithms can identify unique patterns of adverse events that might point to a fresh or unidentified drug-related issue.
6. Signal Evaluation: the signals discovered in the preceding step must be assessed to ascertain their clinical importance and whether additional research is required. Reviewing the information at hand and speaking with medical professionals are part of this process.
7. Risk Assessment: if the signal is thought to be clinically important, a risk evaluation is carried out to ascertain the degree of risk connected with the medication. The severity of the adverse event, the number of patients affected and other pertinent factors are all taken into account in this evaluation.
8. Risk Management: appropriate risk management methods are designed based on the risk assessment to reduce the risk to patients. This can entail labelling modifications, usage limitations or even the drug’s removal from the market.
9. Data Analysis and Reporting: the safety case data is analysed and reported using various tools and techniques, such as data visualisation and trend analysis, to support decision-making related to product safety.
10.Reporting: finally, reports are generated to inform healthcare professionals, regulatory authorities and the public of any safety concerns identified, with the actions taken to manage the risk. These reports might be distributed directly to patients and healthcare professionals, published in medical journals or posted on the FDA’s website.
SIGNIFICANCE OF AUDITING SAFETY DATABASE
Auditing safety databases has become a critical component of pharmacovigilance systems, ensuring that pharmaceutical companies maintain the highest standards of drug safety monitoring. Safety databases serve as the central repository for collecting, storing and managing adverse event reports, signal detection, and risk management activities. Regulatory bodies like the EMA and the FDA place significant emphasis on the integrity and functionality of these databases during inspections, as they are essential for timely identification of safety signals and reporting of Adverse Drug Reactions (ADRs). Through inspections, regulators frequently identify deficiencies in how companies manage their safety databases, underscoring the need for regular internal and external audits. These audits help ensure that data entered into the system is accurate, complete and accessible for regulatory reporting, aligning the companies with global safety standards. By linking inspection findings to the broader framework of database audits, pharmaceutical organisations can mitigate compliance risks and protect patient safety while adhering to regulatory expectations (see Figure 4).
AUDITING METHODOLOGY
A well-structured approach is essential when auditing safety databases. The following key areas should be part of the audit:
Database Build and Functionality
- Validation: ensure the safety database is validated to comply with industry regulations (e.g. FDA’s 21 CFR Part 11, ICH E2B (R3), GAMP5) This involves confirming that the system performs its intended functions consistently and accurately.
- Change Control: review change management procedures to verify that any modifications to the database (software updates, patches) are appropriately documented, tested and approved.
- Documentation: assess how well the database’s documentation is organised. This includes system design specifications, validation protocols and user manuals.
‘Regularly review access logs and ensure there is a process for revoking access when staff leave or change roles.’
2. Access Control and Security
- User Access: verify that user access levels are properly defined, with clear distinctions between data entry, review and administrative rights. Regularly review access logs and ensure there is a process for revoking access when staff leave or change roles.
- Network Security: evaluate network security protocols to ensure the safety database is protected from unauthorised access. This includes assessing firewalls, encryption and multi-factor authentication systems.
- Audit Trails: an audit trail logs every interaction with the database, including data entries, modifications, deletions and user access. Auditors ensure that the audit trail is functioning properly, capturing essential information such as timestamps, user IDs and reasons for changes. They confirm the system’s ability to track user actions, with audit trails capturing who accessed or modified data and when. They also verify that the audit trail is reviewable and that the organisation conducts regular audits of the logs to detect and investigate suspicious activity. This is critical for compliance with regulatory requirements.
‘Any deviation from these principles could compromise data integrity and risk regulatory violations.’
3. Data Integrity
- ALCOA+ Principles: ensure data adheres to the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, complete, consistent, enduring and available). Any deviation from these principles could compromise data integrity and risk regulatory violations. Review the accuracy, completeness and consistency of the data entered into the safety database. The database is audited for duplicate entries, incorrect classifications or missing information related to adverse events, drug interactions and device malfunctions. A focus is placed on data integrity to ensure that input errors are minimised.
- Data Migration: if the database has been upgraded or migrated, review the migration process to ensure that no data was lost or corrupted in the transfer.
4. Compliance with Regulations
- Regulatory Standards: confirm that the safety database meets the requirements of relevant regulatory bodies such as EMA (GVP Module VI), FDA (21 CFR Part 11) and other applicable global standards. Auditors evaluate the safety database’s ability to generate timely and accurate regulatory reports. This includes reviewing workflows for generating and submitting ICSRs, PSURs and other regulatory documents. Auditors ensure that case narratives, source documentation and any supplementary material are accurate and properly linked within the system.
- Data Privacy: ensure compliance with data privacy regulations like GDPR and HIPAA, particularly in relation to how adverse event reports and patient data are stored and shared.
5. Testing and Validation of Controls
- Periodic Testing: conduct regular testing of controls, including security measures and data backup processes. This should include penetration testing to assess system vulnerabilities.
- Disaster Recovery: review the disaster recovery plan to ensure that the database can be restored in the event of data loss or system failure.
Auditing new technology trends in safety databases involves evaluating how the latest advancements enhance the system’s functionality, compliance, security and data integrity. New technologies such as cloud computing, artificial intelligence (AI), machine learning (ML), blockchain and data integration systems introduce opportunities and challenges. Here’s how to audit these technologies:
1. Cloud-Based Safety Databases:
- Data Security and Privacy: assess whether the cloud provider adheres to Good Pharmacovigilance Practices (GVP) and regulations such as GDPR, HIPAA and 21 CFR Part 11. Check for encryption (data at rest and in transit) and data backup mechanisms.
- Access Control: review role-based access control systems and ensure that only authorised personnel have access to sensitive data.
- Disaster Recovery and Business Continuity: audit the cloud provider’s disaster recovery protocols to ensure that the system can handle data loss or downtime.
‘The Risk Management Plan (RMP) is reviewed to ensure that identified safety signals are appropriately escalated and addressed.’
‘Ensure that models are properly validated and continuously monitored to avoid bias or incorrect predictions.’
2. Artificial Intelligence (AI) and Machine Learning (ML):
- Algorithm Validation: evaluate the robustness of AI/ML models used for signal detection and Adverse Event (AE) reporting. Ensure that models are properly validated and continuously monitored to avoid bias or incorrect predictions.
- Auditability: check if the system retains transparent logs for AI-driven decisions, ensuring that actions taken by algorithms can be audited and explained.
- Automation of Adverse Event Reporting: review how AI is integrated into case processing, ensuring data accuracy and timely reporting to regulatory authorities.
3. Blockchain Technology:
- Data Integrity and Immutability: assess how blockchain is used to maintain data integrity by ensuring that all records (such as adverse event reports) are tamper-proof. Blockchain can create an immutable ledger of safety events, which auditors can verify.
- Compliance with GxP: ensure blockchain systems comply with Good Documentation Practices (GDP) and other GxP requirements, particularly around record keeping and traceability.
4. Integration with Electronic Health Records (EHRs):
- Data Interoperability: evaluate how well the safety database integrates with EHR systems to streamline adverse event reporting. Verify that the data exchanged between the systems is accurate and complete.
- Compliance with Health Standards: check compliance with health information standards such as HL7 (the Health Level 7 standards organisation) and FHIR (Fast Healthcare Interoperability Resources) to ensure seamless data exchange without compromising safety data quality.
- Real-Time Adverse Event Monitoring: assess whether the integration with EHRs allows for real-time or near-real-time monitoring of adverse events and drug safety signals.
5. Automation and Robotic Process Automation (RPA):
- Process Efficiency: audit the automation of routine tasks such as data entry, case processing and report generation. Verify that automated processes follow SOPs and regulatory guidelines.
- Error Reduction: evaluate whether automation is reducing human error and improving the accuracy of data entry and reporting.
- Change Management: review the change management system for automated processes to ensure any updates are tested and documented.
6. Regulatory Reporting:
- Automated ICSR and PSUR Generation: check how the system generates and submits Individual Case Safety Reports (ICSRs) and Periodic Safety Update Reports (PSURs). Ensure that the reports are timely and meet regulatory formatting and content requirements.
- Data Retention: ensure that the technology complies with data retention requirements, maintaining audit trails for all safety reports.
7. Cybersecurity in New Technologies:
- Vulnerability Assessment: conduct regular penetration testing and vulnerability assessments to ensure that new technologies (e.g. cloud or AI) are secure against cyber threats.
- Data Breach Response: review the company’s breach response plan to ensure prompt action in case of a data breach involving the safety database.
‘A structured, risk-based approach, coupled with continuous learning and collaboration, will lead to more effective audits and ultimately better patient safety outcomes.’
CONCLUSION
Auditing safety databases is a complex but critical task. By focusing on the core elements – database validation, access controls, data integrity and compliance with evolving regulations – auditors can ensure that safety databases function as intended while safeguarding sensitive data. With increasing reliance on new technologies like cloud computing, AI and blockchain, audits ensure that these advancements contribute effectively to data accuracy, timely reporting and patient safety. By focusing on areas such as data quality, system validation, regulatory compliance and cybersecurity, regular audits help organisations identify and mitigate risks while preparing for regulatory inspections. A structured, risk-based approach, coupled with continuous learning and collaboration, will lead to more effective audits and ultimately better patient safety outcomes.
REFERENCE
Pharmacovigilance unravelled: highlights of the 2024 MHRA GPvP Symposium Soe Hamill, 4 April 2024 – Good pharmacovigilance practice, Inside the Inspectorate.