Vendor Due Diligence and Risk Assessment in Pharmacovigilance – Regulatory Expectations

Key points

Pharmacovigilance vendors must undergo documented due diligence before engagement.
Risk assessment must evaluate the criticality of the service, regulatory impact, data handling, system controls, and vendor compliance history.
Vendor questionnaires, reference checks, inspection history, and quality system review should be used to support risk evaluation.
Risk classification must be justified and used to determine the level of qualification, audit, and oversight required.
Due diligence findings must be documented and reviewed by appropriate PV and QA functions.
Inspection-ready evidence should demonstrate that vendor risk is identified, assessed, and controlled before outsourcing activities begin.

What inspectors expect

Each point below should be supported by controlled documents and traceable records.

Vendor engagement must be supported by documented due diligence.
Risk assessment must evaluate the vendor's service criticality and compliance risk.
The depth of qualification and oversight must be proportionate to vendor risk.
Vendor suitability must be reviewed by appropriate pharmacovigilance and quality functions.
The MAH must be able to justify why the vendor was considered acceptable.

Summary

Inspectors assess whether pharmacovigilance vendors are subjected to structured due diligence and risk assessment before engagement. They typically review questionnaires, risk classification logic, quality system evaluation, inspection history, and evidence that vendor risk drives qualification and oversight decisions.

Common questions

These are the questions this page is designed to answer directly.

What is vendor due diligence in pharmacovigilance?
How do you perform vendor risk assessment in pharmacovigilance?
What do inspectors check for PV vendor due diligence?
How are pharmacovigilance vendors risk classified?
What should be reviewed before approving a PV vendor?
How do regulators assess vendor due diligence?
What are high-risk pharmacovigilance vendors?
How do you assess vendor compliance before outsourcing PV?
What is included in a pharmacovigilance vendor questionnaire?
How do you document vendor risk in inspections?

Evidence objects inspectors expect

Vendor Assessment Questionnaire

Company profile and PV contact details
Quality management system and certifications
Regulatory inspection and audit history
Description of PV services and geographic coverage
System validation, data security, and business continuity controls

Vendor Risk Assessment Documentation

Service criticality assessment
Risk classification as high, medium, or low
Assessment of regulatory and operational impact
Documented rationale for assigned risk level
Link between risk level and qualification approach

Due Diligence Review Evidence

Review of vendor SOPs and process documentation
Assessment of staff qualifications and training
Review of references and prior client experience
Evaluation of safety database controls and Part 11 validation status

Pre-Qualification Audit Decision

Decision to audit based on vendor risk classification
Audit trigger for medium or high-risk vendors
Justification where documentation review is sufficient for low-risk vendors
Documented output supporting next qualification step

Qualification Review and Approval Package

Summary of identified strengths, weaknesses, and gaps
Consolidated due diligence findings
QA review of risk assessment outcome
PV or QPPV review of vendor suitability

Regulatory Basis (Primary Sources)

GVP Module I – MAH responsibility for oversight of outsourced pharmacovigilance activities
GVP Module VI – compliant safety data handling requires capable and controlled third parties
ICH E2D – post-approval safety data management requires reliable third-party processes
MHRA GPvP guidance – expectations for qualification and oversight of vendors
FDA pharmacovigilance guidance – responsibility for compliant outsourced safety activities remains with the application holder

Typical Inspection Questions (What Inspectors Ask)

What due diligence did you perform before selecting this vendor?
How did you decide this vendor was high, medium, or low risk?
What did your questionnaire and documentation review identify?
Why was an audit required or not required?
Show me the evidence used to justify approving this vendor.

Failure patterns

Vendor risk is assigned without a documented rationale.

Due diligence is limited to commercial review and does not assess PV capability.

Critical issues in inspection history or system controls are not identified or challenged.

The risk level does not influence the qualification approach or oversight plan.

Vendors are approved despite unresolved due diligence gaps without clear justification.

What good looks like

A structured due diligence package covering quality, compliance, systems, and operational capability.
A documented risk assessment with clear justification for the assigned risk level.
Use of questionnaire responses, supporting documents, and references to verify vendor suitability.
Risk-based decisions on whether audit, additional controls, or remediation are required.
Clear evidence that vendor approval is based on documented assessment rather than assumption.

Operationalisation

Use a standard questionnaire to gather detailed information about vendor capability and compliance.
Assess service criticality, system dependence, regulatory impact, and data sensitivity before assigning risk.
Review quality systems, inspection history, personnel capability, and IT controls as part of due diligence.
Require a pre-qualification audit for vendors whose risk profile justifies it.
Document the rationale for risk classification and use it to shape qualification and oversight.
Ensure PV, QA, and relevant approvers review and sign off the due diligence outcome.

Need regulatory documentation today?

Save time and reduce inspection risk with structured, pre-built process-ready documentation.
Created by industry professionals, adaptable to your organisation.

Related pre-built documentation inside the app

PV Vendor Qualification and Management Toolkit

Get Access Log In

FAQ

What is vendor due diligence in pharmacovigilance?

Vendor due diligence is the documented process of reviewing a vendor's quality systems, compliance history, operational capability, systems, and personnel before outsourcing pharmacovigilance activities.

What is assessed in a pharmacovigilance vendor risk assessment?

A vendor risk assessment typically considers service criticality, regulatory impact, inspection history, system validation, data security, staff capability, and the overall risk the vendor poses to compliant PV operations.

Why is risk classification important when qualifying a PV vendor?

Risk classification determines the depth of qualification, the need for audit, the level of oversight required, and how the MAH controls potential compliance risk.

What makes a pharmacovigilance vendor high risk?

A vendor is typically considered high risk when they perform critical pharmacovigilance activities such as global case processing, expedited reporting, safety database management, or services where failure could directly lead to regulatory non-compliance or patient safety risk.

Do inspectors review vendor risk assessments?

Yes. Inspectors frequently review whether vendor risk was assessed formally, justified clearly, and used to determine qualification and oversight activities.

What documents support pharmacovigilance vendor due diligence?

Typical documents include questionnaires, SOPs, training records, inspection history, audit reports, IT validation evidence, references, and formal risk assessment records.