Mergers and acquisitions (M&A) are pivotal moments for any pharmaceutical company — offering new markets, expanded product lines, and greater global reach. However, amid the excitement, there is one area that can quickly spiral into risk if not carefully managed: pharmacovigilance (PV) compliance.
When two companies (or product portfolios) combine, Good Pharmacovigilance Practices (GVP) must be upheld without disruption. ICSRs must still be reported on time. QPPVs must stay informed and in control. Safety databases must remain validated and accessible. And regulators expect zero gaps.
In this blog, we’ll break down the key PV challenges in M&A, what regulators expect during transitions, and how you can ensure your organisation stays GVP-compliant throughout the change.
Why Pharmacovigilance Is High-Risk During M&A
When companies merge, several areas of the PV system are exposed to potential noncompliance:
- Changes to legal entity status or marketing authorisation holder (MAH) responsibilities
- Disruptions in ICSR processing or literature monitoring
- Overlapping or missing Safety Data Exchange Agreements (SDEAs)
- Inconsistent or misaligned Risk Management Plans (RMPs)
- Confusion over Qualified Person Responsible for Pharmacovigilance (QPPV) oversight
- Data migration or access issues with safety databases
Even minor oversights in these areas can lead to regulatory findings, warning letters, or delays in post-M&A product launches.
Key Pharmacovigilance Areas to Monitor During M&A
1. QPPV Responsibilities and PV System Master File (PSMF)
Regulatory Expectation:
The QPPV must remain responsible and in control of the PV system at all times — regardless of ongoing ownership or organisational changes.
Best Practice:
- Ensure the QPPV is informed of the M&A strategy and included in due diligence planning.
- Update the PSMF with new roles, structure, affiliates, and systems.
- Notify regulators of QPPV changes within 7 days (EU requirement).
2. ICSR Continuity and Timeliness
Regulatory Expectation:
There should be no delays or missed timelines in ICSR reporting during mergers or acquisitions.
Risks Include:
- Conflicting intake workflows
- Disparate safety databases
- Misaligned SOPs and reporting responsibilities
Best Practice:
- Map out both organisations’ ICSR processes and identify integration gaps early.
- Define a “Day Zero” policy that applies immediately post-merger.
- Consider a transitional operating model (dual system) with clear oversight.
3. Safety Database Integration and Validation
Regulatory Expectation:
Safety databases must be validated, secure, and compliant with GVP at all times — even during migration or system integration.
Best Practice:
- Perform a gap analysis between legacy systems (e.g., Argus vs ArisGlobal).
- Document and validate data migration activities thoroughly.
- Maintain access logs, audit trails, and version control for regulators.
4. SDEAs and Third-Party Oversight
Regulatory Expectation:
Clear responsibilities for case reporting, signal detection, and regulatory submissions must be defined and updated in Safety Data Exchange Agreements.
Best Practice:
- Review all existing SDEAs for both companies.
- Identify contracts that need to be updated, terminated, or merged.
- Ensure third-party PV vendors are also aligned and trained.
5. Signal Management and Risk Communication
Regulatory Expectation:
Signal detection and risk minimisation must continue without disruption, and all applicable documentation must be unified and up to date.
Best Practice:
- Reassess RMPs, DSURs, and PSURs for impacted products.
- Conduct a combined benefit-risk review post-merger.
- Inform regulators of any changes in signal conclusions or mitigation strategies.
Due Diligence Essentials: PV Questions to Ask Before the Merger
- Does the company have a GVP-compliant PV system in place?
- Are all QPPV roles, affiliates, and PSMFs current and documented?
- How are ICSRs managed and reported — including expedited cases?
- Are there any open CAPAs or regulatory findings related to PV?
- What is the licensing and SDEA landscape across global markets?
- Is the safety database validated, and what’s the migration plan?
- Are all post-marketing safety documents up to date and aligned?
A Post-Merger PV Compliance Checklist
- QPPV responsibilities reviewed and updated
- PSMF revised and resubmitted where needed
- ICSR processes unified with clear ownership
- Safety database gap analysis and integration plan
- SDEAs reviewed, updated, and signed
- Signal management plan consolidated
- Staff training records aligned and documented
- Oversight of third parties/vendors ensured
- CAPAs from both legacy companies assessed
- Communication plan with regulators established
How Q&V Can Support Your PV Compliance During M&A
At Q&V, we specialise in helping life science companies manage the regulatory complexities of mergers and acquisitions with a focus on pharmacovigilance continuity and compliance.
We offer:
- Full PV system audits and due diligence support
- QPPV transition planning and documentation updates
- Safety database validation, migration, and compliance review
- SDEA harmonisation and third-party oversight assessments
- Custom CAPA and SOP development for integration activities
Contact Q&V today to ensure your next M&A journey is GVP-compliant from start to finish.