People and Accountability: Who Does What in the Safety System

Sponsor safety leadership. The sponsor appoints a senior medical safety officer (often a safety physician) accountable for safety assessments and regulatory reporting decisions. In the EU, interface with the Qualified Person Responsible for Pharmacovigilance (QPPV) and the PSMF; in other regions designate local safety officers as required. The SMP should list names/titles (or roles), alternates, and out-of-hours coverage, with contact trees for urgent escalation.

Core functional roles (illustrative).

• Case intake & triage (PV operations): receives reports from sites, partners, literature, social media (if in scope), patient support programs, and product-quality complaints with AEs; assigns priority and creates cases.
• Case processors: validate minimum criteria, reconcile duplicates, follow up for missing information, and prepare the case for medical assessment; ensure data privacy and consent where applicable.
• Safety physician/medical monitor: assesses seriousness, expectedness (vs RSI/label), causality, and clinical significance; approves narratives and regulatory submissions; contributes to signal assessment.
• Medical writers/safety scientists: draft narratives, DSUR/PBRER sections, and risk-benefit summaries; maintain consistency across cases and aggregates.
• Coders: apply MedDRA for AEs and WHO-DD for concomitant meds; manage version control and quality checks.
• Regulatory operations: manage E2B(R3) submissions and acknowledgments, route SUSARs to agencies and investigators/IRBs/IECs per country rules, and maintain regulatory calendars.
• Signal detection team: performs quantitative and qualitative review (disproportionality where appropriate), convenes signal review meetings, and coordinates labeling/risk-minimization proposals.
• Clinical operations & sites: collect source data, ensure timely SAE reporting per protocol, and support follow-up and reconciliation.
• Data management: align EDC SAE forms with PV database fields, manage reconciliation, and maintain data standards.
• Quality assurance: audits the PV system, vendors, and trials; oversees CAPA; verifies training effectiveness and SOP adherence.
• IT/Systems: own safety database validation, change control, backups, disaster recovery tests, and access provisioning (RBAC/MFA).
• Partners & licensees: where SDEAs exist, share safety data per agreed timelines and format; the SMP should mirror the SDEA responsibilities.

RACI matrices. For each process step—intake, triage, medical review, coding, narrative QA, submission, investigator notification, reconciliation, archival—specify who is Responsible, Accountable, Consulted, and Informed. Include alternates and escalation levels (e.g., when to escalate to the safety physician, to the PV head, or to governance committees).

Training & qualification. The SMP should prescribe role-based training tied to applicable guidance (e.g., ICH E2A/E2B/E2D/E2F), regional requirements (e.g., FDA, EMA, PMDA, TGA), and company SOPs. Define initial and refresher cadences, practical proficiency checks (e.g., mock case processing with QC), and criteria for system access (training completion, test scores, confidentiality acknowledgments).

Independence and blinding. For blinded trials, stipulate that unblinded safety review is performed by independent personnel (e.g., dedicated unblinded safety physician/biostatistician) with segregated systems and access logs. The SMP should cross-reference the DSMB/IDMC charter regarding flow of unblinded information and the threshold for emergent unblinding (e.g., to safeguard participants), documenting local time and UTC offset on approvals and actions.

Vendor oversight. If case processing, coding, or distribution is outsourced, the sponsor remains accountable. The SMP should reference vendor SOPs, service levels (e.g., cycle time, on-time expedited reporting), quality controls, and audit rights; describe governance forums (business reviews, quality reviews) and performance dashboards. Contractual terms in the SDEA/SOW should be reflected in the SMP so operational teams execute to what was agreed.

End-to-End Processes: From Intake to Expedited Reports (and Everything Between)

Intake & triage. Define report sources (site reports, spontaneous reports, literature, patient support programs, social media if monitored, product quality complaints with AEs) and channels (email, EDC SAE forms, call centers, partner feeds). Document the minimum criteria for a valid case, duplicate checks, and timeliness rules (e.g., “day 0” is the date the sponsor or its agent becomes aware). Provide routing for special situations (pregnancy/lactation exposure, overdose, misuse, medication error, lack of efficacy in life-threatening conditions).

Case creation & processing. Capture structured data with audit trails: reporter, patient, suspect/concomitant products, doses, start/stop dates, medical history, event terms, seriousness criteria, outcomes, lab values, diagnostics, and de-identification per privacy laws. Define data privacy/consent handling for follow-ups. Apply MedDRA coding (with versioning and change-control) and WHO-DD for medications. Assign the case to medical review with clear SLAs.

Medical assessment & narratives. The safety physician determines seriousness, expectedness (vs IB/RSI or labeling), and causality; writes or approves the narrative. Provide rules for combining events into one case, for separating unrelated events, and for handling multiple suspect products. Include clinical judgement guidance for key domains (e.g., QT prolongation, drug-induced liver injury) and document when specialist consultation is required.

Expedited reporting (development and post-approval). The SMP must encode the sponsor’s algorithm for SUSAR and other expedited reporting per jurisdiction—e.g., alignment with 21 CFR 312.32 for IND safety reports to the FDA, the EU system via EudraVigilance under the EMA, and national rules for PMDA and TGA. State the triggers (serious, unexpected, suspected; fatal/life-threatening), distribution lists (regulators, investigators, IRBs/IECs), formats (E2B(R3), CIOMS), and clocks (e.g., 7/15-day standards where applicable). Describe how acknowledgments (ACKs) are tracked and failures remediated.

Investigator communications. Define timelines and content for investigator notifications (e.g., SUSAR line listings), IB/RSI updates, and safety letters. Document how site training is refreshed when the RSI changes, and how informed-consent forms are updated when new important risks are identified, aligned with ethics requirements overseen by health authorities and the WHO context for public-health studies.

Aggregate reports. Specify responsibilities for DSURs (development) and PBRERs/PSURs (post-marketing), including data locks, contributors, governance, and submission calendars. Ensure consistency between case-level trends and aggregate conclusions; route benefit-risk proposals to labeling committees and, where applicable, to RMP/REMS owners.

Signal management. Connect case processing to signal detection: periodic review of disproportionality outputs (if used), medical review of case clusters, literature surveillance, external databases, and cross-functional signal review meetings. Define signal validation, confirmation, analysis, prioritization, and recommendation steps; track decisions and action items with timestamps (local time + UTC offset) and file in the TMF/PSMF.

Data reconciliation and data quality. Reconcile EDC SAE forms with the safety database at defined intervals; resolve mismatches (e.g., onset dates, seriousness). Reconcile death and exposure data, dosing interruptions, and concomitant meds. Build controls to prevent “case drift” after submission (versioning, change logs). Ensure consistent dictionary versions across systems; document migration/upgrade testing.

IT controls & business continuity. Safety databases and gateways must be validated for intended use, with change control, role-based access, MFA, encryption, time-stamped audit trails, backups, and disaster-recovery tests. Define fallback procedures for system outages (manual forms, paper CIOMS, emergency hotlines) and the process for back-entry and reconciliation once systems are restored.

Inspection Confidence: Evidence, KPIs, Pitfalls, and a Ready-to-Use Checklist

Inspection-ready evidence package. Maintain a rapid-pull index so that, within minutes, you can surface: (1) the approved SMP and change history; (2) org charts and RACI matrices; (3) system validation summaries and configuration snapshots (database version, MedDRA/WHO-DD versions, gateway details); (4) SOPs/work instructions for intake, processing, coding, narratives, submissions, reconciliation, signal management; (5) training matrices and completion records; (6) vendor oversight evidence (KPIs, audits, CAPAs); (7) expedited reporting ledgers with acknowledgments; (8) DSUR/PBRER calendars and submissions; (9) DSMB/IDMC interfaces and unblinding controls; and (10) metric dashboards and deviation logs. These artifacts should be recognizable to reviewers across the FDA, EMA, PMDA, TGA, and aligned with ICH expectations and the WHO public-health perspective.

Program-level KPIs that demonstrate control.

• On-time expedited reporting: % SUSARs submitted within the regulatory clock (by region).
• Case cycle time: receipt-to-submission median and distribution; % cases meeting internal SLAs.
• ACK success rate: percentage of E2B(R3) transmissions receiving positive ACKs; time to remediate failures.
• Quality metrics: narrative QC pass rate; coding agreement rate; duplicate detection rate; error trends.
• Reconciliation health: number and age of open discrepancies between EDC and PV database.
• Signal workflow: time from signal detection to assessment decision; proportion of actions completed on time.
• Training effectiveness: post-training assessment pass rates; refresher completion within cadence.
• Vendor performance: adherence to SLAs; audit outcomes; CAPA effectiveness.

Common failure modes—and durable fixes.

• Unclear ownership for time-critical steps (e.g., who presses “send”). → Implement RACI, rehearse handoffs, and install “day 0” alerts with escalation.
• Dictionary/version drift between systems. → Centralize MedDRA/WHO-DD governance; timebox upgrades; communicate version-change effects; validate mappings.
• Inadequate follow-up on serious cases. → Automate follow-up reminders and track responses; define escalation for non-responsive sites/partners.
• Blind compromise during safety review. → Segregate unblinded roles/systems; log access; coordinate with DSMB per charter; provide arm-agnostic operational dashboards to blinded teams.
• Gateway/ACK failures close to deadlines. → Monitor transmissions continuously; pre-validate; have paper/portal fallback and document re-submission logic.
• Poor vendor oversight. → Embed SLA-backed metrics, quarterly business reviews, quality reviews, and audit rights; ensure SMP mirrors SDEA/SOW terms.
• Signal/aggregate disconnect. → Cross-check case trends with DSUR/PBRER narratives; track benefit-risk committee decisions and labeling change control.
• Weak business continuity. → Drill outage scenarios; maintain emergency contact trees and manual workflows; reconcile promptly post-recovery.

Study-ready checklist (single page).

• SMP approved, versioned, and aligned with ICH E2, FDA, EMA, PMDA, TGA, and WHO expectations.
• Named safety leadership, alternates, and 24/7 coverage; contact tree and escalation tiers documented.
• Validated safety database/gateway with change control, RBAC/MFA, audit trails, backups, and DR testing.
• Case workflows defined end-to-end (intake → triage → processing → medical review → coding → narrative → submission → archival) with SLAs and QC.
• Expedited reporting logic and distribution lists per region; investigator/IRB notification procedures; ACK tracking.
• Aggregate reporting calendar (DSUR/PBRER), roles, and governance; consistency checks with case data.
• Signal management procedure and governance meetings scheduled; decision logs with timestamps and actions.
• RACI matrices for all critical steps; vendor oversight plan that mirrors SDEA/SOW terms.
• Training curriculum with completion/competency records; system access gated to training.
• KPIs and CAPA pathway established; deviation and change-control logs active; rapid-pull inspection index ready.

Bottom line. A robust Safety Management Plan is a practical blueprint for protecting participants and patients and for meeting global obligations. When governance, roles, systems, and processes are explicit—and when metrics, training, and vendor oversight are active—sponsors can demonstrate sustained control to authorities such as the FDA, EMA, PMDA, and TGA, in line with ICH and the WHO commitment to public health.