United Kingdom Science Park Association Good Practice … Quality Management... · Good Practice Guide Electronic Quality Management System for SMEs ... ISO 27001 11 4.2.10. Business

United Kingdom Science Park Association

Good Practice GuideElectronic Quality Management System for SMEs

BUILDING • TECHNOLOGY • BUSINESS

AUDITS

MET

RICS

TRA

ININ

G

DO

CUM

ENTSPROCEDURES

EQUIPMENT

CAPA

NO

N-

CON

FORM

AN

CE

COMPLAINTS

CHANG

E

CON

TRO

L

2

Copyright 2014 © Compliance Control Ltd.BUILDING • TECHNOLOGY • BUSINESS

Table of Contents1. Foreword 3

2. Introduction 3

3. Executive Summary 4

4. Part 1: What is a Quality Management System? 54.1. DefinitionsofQualityand QualityStatements 6

4.2. QualityStandardsandRegulations 8

4.2.1. ISOQualityManagementSystem 8

4.2.2. ISO9001 8

4.2.3. MedicalDevices:MDD93/42/EEC, ISO13485,IEC62304,510(K) 8

4.2.4. CEMARK 9

4.2.5. EnvironmentalStandard:ISO14001 10

4.2.6. LaboratoryStandards:ISO17025 10

4.2.7. OccupationalHealthandSafety AdvisoryServices,BSOHSAS18001 10

4.2.8. ITServiceManagement:ISO20000 10

4.2.9. InformationSecurityManagement: ISO27001 11

4.2.10. BusinessContinuityStandard:ISO22301 11

4.2.11. IntegratedQualityManagementSystem (PAS99) 11

4.3. ICHQ10PharmaceuticalQualitySystem 12

4.4. GMP,GxP’s 12

4.5. ISPEGAMP®5 14

5. Part 2: Paper Based Quality Management Systems 145.1. ManagingaPaperBasedQuality ManagementSystems 15

5.2. SomeKeyProblemswithpaper

basedQualityManagementSystems 16

6. Part 3: Electronic Quality Management Systems (EQMS) 176.1. WhatisanElectronicQuality ManagementSystem? 17

6.1.1. WhatisanEDMS? 17

6.1.2. StructuredandUnstructuredDocuments andData 18

6.2. WhatregulationsapplytoanEQMS? 18

6.3. ElectronicRecordsandElectronic Signatures 18

6.4. DoesanEQMSneedtobeValidated andifsohow? 19

6.4.1. WhatisValidationandWhatis ComputerSystemsValidation? 19

6.4.2. QualificationofNetworkandIT Infrastructure 20

6.5. SoftwareasaService(CloudComputing) 22

6.6. MigratingExistingDataintoanEQMS? 24

6.6.1. QualityMetricsandCompliance Dashboard 24

7. Conclusions 26

8. Acknowledgements, References and Sources 27

3

ThisUKSPAgoodpracticeguidehasbeenproducedbyComplianceControl,oneofourBusinessAffiliates,andisfreelyavailabletoallofoursciencepark,researchpark,technologyparkandtechnologyincubatormanagementteamsandtheirbusinesssupportadvisors.Itisdesignedtohelpcompaniesimplementanew–orimprovetheirexisting–qualitymanagementsystem,andsowillalsobeasignificantresourceforowner-managers,qualitymanagers,ICTandoperationsstaffatmanyofthecompaniesresidinginourmemberlocations–inparticularthoseSMEswhosebusinessesareregulatedbyexternalbodies.

Wehaveaimedtoproduceaguidesufficientlyflexibletoberelevantandusefultoawiderangeofsectorsandsizeoffirm,butalsotocompaniesthathavepaper-baseddocumentqualitymanagementsystemswhowishtomigratetoanelectronicallybasedsystem.

Itrustreaderswillfindthisgoodpracticeguideastimulatingdocumentthatwillbeausefulguidetoyouandyourbusinessasyouseektoimproveyourqualitymanagement systems.

Paul Wright UKSPA Chief Executive

This good practice guide is designed to help companies implement a new, or improve their existing, quality management system

Thefirstpartofthisgoodpracticeguidefocusesonsomedefinitionsandexplanationsonunderstandingwhataqualitymanagementsystemisandsomecommonlyusedregulationsandstandards.Itaimstotakeawaysomeofthemythsandmisconceptionsregardingelectronicrecordsandelectronicsignatures(ERES),bysimplifyingtheregulationsandprovidinganexplanationofhowSMEscanuseelectronicsystemstomanagequality.

Thesecondpartexplainshowtoestablishasimplepaperbasedqualitymanagementsystem.

Thethirdpartexplainshoweventhesmallestofcompaniescannowuseanaffordableelectronicqualitymanagementsystemtooperateaqualitysystem.

Who Should Read This GuideThisguideistargetedatsciencepark,researchpark,technologyparkandtechnologyincubatormanagementteamsandtheirbusinesssupportadvisorsincludingtheownersandQualityManagers,OperationsandICTstaffoftenantcompanieswhosebusinessesareregulatedbyexternalorganisations,eg.ISO,MHRA,FDA,EU,etc.

ThisdocumenthasbeenwrittenbyDavidForrest,ChiefExecutiveofComplianceControlLtdandreviewedbyBobCrawshaw,DirectorandPrincipalConsultant,ComplianceControlLtd.

About Compliance Control LimitedComplianceControlLtdwasfoundedin2005andisaleadingspecialistinregulatorycompliance,qualityandvalidationservicesforabroadspectrumofindustries.RecentfundingfromtheTechnologyStrategyBoardhasenabledresearchanddevelopmentofanElectronicDocumentandQualityManagementSystemtargetedspecificallyatsmallgrowingcompaniesthatneedtoberegulated,whotraditionallywouldnotuseanelectronicITsystemfortheirQualityandComplianceManagementSystem.

Forfurtherinformationreferto www.compliance-control.com

1. Foreword

2. Introduction

Good Practice Guide: ElectronicQualityManagementSystemforSME’s

4

Copyright 2014 © Compliance Control Ltd.

MostSMEsuseSageAccountingorQuickBookstomanagetheirday-to-dayaccountingandfinancialneeds,andmostuseaCustomerRelationshipManagement(CRM)softwareproducttomanagetheirday-to-daysalesandcustomers.Whydon’ttheycreatetheirownsoftwareorusebespokespreadsheetsanddatabases?Because,inessence,itisa‘no-brainer’nottouseoneofthesesystemsastheycanbeprovided‘out-of-the-box’– setup,configuredandinusewithinhoursatanaffordableprice.

AsurveycarriedoutbyManchesterUniversityBusinessSchoolin2012askedthequestion:Howmuchdoesitcost,andhowlongdoesittaketoimplementafinancialsystem,aSales/CRMsystem,andanElectronicQualityManagementSystem(EQMS)?Thesurveywasbasedonapproximately300smalltomediumcompanieswithseverallargerorganisationsalsoresponding.

TheabovesurveywasfocusedmainlyonSMEclients,asitiswidelyknownthatmostlargeclientsalreadyuseanElectronicQualityManagementSystemtomanagetheirday-to-dayqualityandcompliancerequirementsbecausetheycanaffordthepricetagoftieroneElectronicQuality

ManagementSystemsoftwareproducts.Thesetieroneproducts,onthewhole,donotcome‘out-of-the-box’andthereforetaketime,resourcesandmoneytosetup,configureandcustomise(andvalidate),andthusaretypicallyaffordableonlybylargerorganisations.

3. ExecutiveSummary

Conclusions:

60%believedaFinancesystemcouldbesetupandimplementedbetween1weekto2months.

50%believedaSales/CRMsystemcouldbesetupandimplementedbetween1weekto2months.

60%believedanEQMSsystemcouldbesetupandimplementedbetween1monthto6months.

18%believedanEQMSsystemcouldbesetupandimplementedbetween7monthto11months.

Conclusions:

55%believedafinancesystemcouldbesetupandimplementedcostingbetween£1–10k.

67%believedaSales/CRMsystemcouldbesetupandimplementedcostingbetween£1–10k.

0%believedanEQMSsystemcouldbesetupandimplementedcostingbetween£1–10k.

80%believedanEQMSsystemcouldbesetupandimplementedcostingbetween£11–50k.

Figure 1: Durations for implementing finance, sales and quality management software

Figure 2: Cost of implementing finance, sales and quality management software

40%

30%

20%

10%

0%PERC

ENTA

GE

OF

RESP

ON

DA

NTS

30%

23%

15%

33%27% 27%

21%

25%

33%

7% 7%

18%

13%

18%

6%

1-2 Weeks

FINANCE SALES QUALITY

1-2 Months 3-6 Months 7-11 Months 12 Months & Above

80%

60%

40%

20%

0%PERC

ENTA

GE

OF

RESP

ON

DA

NTS

55%

67%

25%

16%

69%

7%4%

11%5%

7% 10% 8% 7%10%

£1k-£10k

FINANCE SALES QUALITY

£11k-£25k £26k-£50k £51k-£100k £101k & above


5


Forsmallerorganisations,therearealsoconcernsovertheuseofElectronicRecordsandElectronicSignatures,andinsomecasesthereareissuesofComputerSystemValidationofthesoftware.

ThisgoodpracticeguideisthereforetargetedmainlyattheSMEmarketspaceas,basedontheaboveevidence– inparticulartimescaleandcost–mostSMEstendtohaveamanualpaperbasedsystem,ahybridapproach,oran

unintegratedITsystemsapproachtoqualitymanagement,astheyperceivetheycannotaffordthetimeormoneytoimplementanElectronicQualityManagementSystem.

ThisgoodpracticeguideaimstoshowSMEshowtheycannowuseanElectronicQualityManagementSystemfortheirregulatory,qualityandcomplianceprocessesatanaffordableprice,basedonlatestadvancesofSoftwareandITInfrastructure.

AQualityManagementSystem(QMS)isacollectionofbusinessprocessesfocusedonachievingaqualitypolicyandqualityobjectives–i.e.whatyourcustomerwantsandneeds.(ChrisAnderson.WhatisaQualityManagementSystem?Bizmanualz,Nov18,2013.)

Itcanbeexpressedastheorganisationalstructure,policies,procedures,processesandresourcesneededtoimplementqualitymanagement.Earlysystemsemphasisedpredictableoutcomesofanindustrialproductionline,usingsimplestatisticsandrandomsampling.Bythe20thcentury,labourinputsweretypicallythemostcostlyinputs,sofocusshiftedtoteamcooperationanddynamics,especiallytheearlysignallingofproblemsviaacontinuousimprovementcycle.Inthe21stcentury,QMShastendedtoconvergewithsustainabilityandtransparencyinitiatives,asbothinvestorandcustomersatisfactionandperceived

qualityisincreasinglytiedtothesefactors.OfallQMSregimes,theISO9000familyofstandardsisprobablythemostwidelyimplementedworldwide.

OneofthemostcommontoolsforworkingonqualityinalongtermcyclicalandsustainablemanneristheDemingcircle(PDCA).TheDemingcirclewasdevelopedbytheAmericanstatisticianWilliamEdwardsDeming(1900–1993)whoworkedmainlyinJapan.ThemethodologycanbefoundinmostISOstandards:ISO9001,ISO17025,etc.ThefourelementsoftheDemingcircleare:

• Planwhatyouwilldoandhowyouwilldoit• Dowhatyouhaveplanned• Check theresults• Actorreacttothingsthatgowrongandinvestigate howtoimprove(further)

4. Part1:WhatisaQualityManagementSystem?

Dowhat you have planned

Planwhat you will do and

how you will do it

Checkthe results

Actor react to things that go wrong and investigate how to improve (further)

Figure 3: Deming circle (PDCA)

6


Thefollowingaresomeextractsandexamplesfromthemanydifferingdefinitionsofquality:

• Manufacturingbaseddefinitionsareconcernedprimarilywithengineeringandmanufacturingpracticesandusetheuniversaldefinitionof“conformancetorequirements.”Requirements,Specifications,andDesignsarealreadyestablished,andduringmanufacturinganydeviationimpliesareductioninquality.Theconceptappliestoservicesaswellasproducts.

• Excellenceinqualityisnotnecessarilyintheeyeofthebeholderbutratherinthestandardssetbytheorganisation.

• Manufacturing:ameasureofexcellenceorastateofbeingfreefromdefects,deficiencies,andsignificantvariations,broughtaboutbythestrictandconsistentadherencetomeasureableandverifiablestandardstoachieveuniformityofoutputthatsatisfiesspecificcustomeroruserrequirements.

• Putsimply…qualityisthelevelofadherencetogoodprocedures.Ifasimplesetofprocedurescanbeputinplace,andstafftrainedaccordingly,thenthedefinedprocessesshouldproducequalityproductsand/orservices.

• Failuretocreateappropriateprocedures,lackofinitial,andongoingtraining,andpoorinternalauditingprocesseswilleventuallyleadtopoorqualityproductsandservices.

• Whereanorganisationproducesproductsorservicesthatmustcomplywithregulations,thelevelofqualityoftheorganisationisdefinedbythelevelofproceduresinplacetoensureconformancetothesetofregulationsthatmustbefollowed.Adequatestafftrainingregardingtheoperationalprocedures,combinedwithgoodinternalauditing,andasimpleandeffectiveCAPA(correctiveaction,preventiveaction)system,willensurecompliance.

• Asimplenon-conformance,deviationmanagementsystemprocess,includinginvestigationsfromcustomercomplaintsshoulddriverootcauseanalysisinvestigations,thusimprovingoverallquality.

4.1. DefinitionsofQualityandQualityStatements

Figure 4: Typical ISO 9001 Quality Circle.Re

so

urce Measure

Mon

itorIm

prove

Core Control Procedures

Statement of Purpose

Sales Development

Support Production


8


TherearemanystandardsandregulationsrangingfromISO(InternationalOrganizationforStandardization)suchasISO9001,14001,13485,17025,18001(OccupationalHealthandSafetyAdvisoryServices,OHSAS),20000,27000,andtheotherindustryandcountryregulatorybodies,suchastheUSFoodandDrugAdministration(FDA),UKMedicinesandHealthcareproductsRegulatory

Agency(MHRA),InternationalStandardssuchasICHQ10(InternationalConferenceonHarmonisation),theEuropeanMedicinesAgency(EMA)andtheEuropeanCommissionCEMarking,tolistbutafew!

Thefollowingsectionsprovidefurtherinformationonthemostcommonlyusedstandardsandregulations.

ISO(InternationalOrganizationforStandardization)istheworld’slargestdeveloperofvoluntaryinternationalstandards.Internationalstandardsgivestateoftheartspecificationsforproducts,servicesandgoodpractice,helpingtomakeindustrymoreefficientandeffective.Developedthroughglobalconsensus,theyhelptobreakdownbarrierstointernationaltrade.Itwasfoundedin1947,andsincethenhaspublishedmorethan19,500

internationalstandardscoveringalmostallaspectsoftechnologyandbusiness.Fromfoodsafetytocomputers,andagriculturetohealthcare,ISOinternationalstandardsimpactallofus.

ISOcertificationcanincreasetheeffectivenessofyourexistingmanagementsystemsandallowtheorganisationtobecomemoreefficientinthewayitoperates.

ISO9001istheworld’smostestablishedqualityframework,focusingoneffectivemanagementofbusinessandmeetingcustomers’requirements.Thestandardisusedin175countriesworldwideandhelpsallkindsof

organisationstosucceedthroughimprovedcustomersatisfaction,staffmotivationandcontinuousimprovement.Refertosection5formoredetailsonISO9001.

TheEuropeanUnionMedicalDevicesDirective(MDD93/42/EEC)coversavastrangeofproductsfromfirst-aidbandagesandwalkingframestoCTscannersandimplants.Giventhiswiderange,itisnotjustifiabletosubjectalldevicestothesamelevelsofconformityassessment.Itisimportant,therefore,thatthelevelofcontrolismatched,asfaraspossible,tothedegreeofriskinherentinthedevice.

Thecorelegalframeworkactuallyconsistsof3directives:

• Directive90/385/EECregardingactiveimplantablemedicaldevices

• Directive93/42/EECregardingmedicaldevices

• Directive98/79/ECregardinginvitrodiagnosticmedicaldevices

Attemptswerethereforemadetosetthecontrolsrelativetotheperceivedriskinanefforttomakethemasrelaxedaspossible(toeasethebureaucraticandfinancialburdensonbusiness)andasstrictasnecessary(toensurethatthehealthofthepatientanduserisadequatelyprotected).

Theclassificationofdevicesisthereforearisk-basedsystem.ThecriteriaforclassificationaredescribedinAnnexIXoftheMedicalDevicesDirective.

‘General’medicaldevicesaregroupedintofourclassesasfollows:

• ClassI–generallyregardedaslowrisk

• ClassIIa–generallyregardedasmediumrisk

• ClassIIb–generallyregardedasmediumrisk

• ClassIII–generallyregardedashighrisk

4.2. Quality Standards and Regulations

4.2.1. ISO Quality Management System

4.2.2. ISO 9001

4.2.3. Medical Devices: MDD 93/42/EEC, ISO 13485, IEC 62304, 510(K)


9


Classificationofamedicaldevicedependsuponaseriesoffactors,including:

• Howlongthedeviceisintendedtobein continuoususe

• Whetherornotthedeviceisinvasiveor surgicallyinvasive

• Whetherthedeviceisimplantableoractive

• Whetherornotthedevicecontainsasubstance,whichinitsownrightisconsideredtobea medicinalsubstanceandhasactionancillaryto thatofthedevice.

Thedifferencebetweeneachclassrestsinthechoiceofconformityassessmentproceduresavailable.Thesection“ConformityassessmentandtheCEMark”intheMedicalDevicesDirectivehasadescriptionofthevariousconformityassessmentroutesavailabletomanufacturers.Itisthestatedintendedpurposeofthedevice,assignedbythemanufacturer,whichdeterminestheclassinwhichadeviceiscategorised.See www.mhra.gov.uk/Howweregulate/Devices/Classification/

Withinthemedicaldevicesector,ISO13485takesthefundamentalrequirementsofISO9001andrelatesittotheproductionofmedicaldevices,in-vitromedicaldevicesandimplantableactivedevices.ForcompaniesmanufacturingdevicestobeCEmarkedforsaleinEurope,implementationofISO13485providesthesimplestsolutiontomeetingtherequirementsoftheEuropeanMedicalDeviceDirectives.

Insomecases,medicaldevicescontainsoftwareandtheInternationalElectrotechnicalCommission(IEC)62304standardspecifiessoftwaredevelopmentlifecyclerequirementsforthedevelopmentofmedicalsoftwareandsoftwarewithinmedicaldevices.

TomarketadeviceintheUSA,theUSAsection510(k)oftheFDAActrequiresdevicemanufacturerstonotifytheFDA,atleast90daysinadvance,oftheirintenttomarketamedicaldevice.

ThisisknownasPreMarketNotification–alsocalledPMNor510(k).ItallowstheFDAtodeterminewhetherthedeviceisequivalenttoadevicealreadyplacedintooneofthethreeclassificationcategories.Thus,“new”devices(notincommercialdistributionpriortoMay28,1976)thathavenotbeenclassifiedcanbeproperlyidentified.

Anydevicethatreachesthemarketviaa510(k)notificationmustbe“substantiallyequivalent”toadeviceonthemarketpriortoMay28,1976(a“predicatedevice”).Ifadevicebeingsubmittedissignificantlydifferent,relativetoapre-1976device,intermsofdesign,material,chemicalcomposition,energysource,manufacturingprocess,orintendeduse,thedevicenominallymustgothroughaPreMarketApproval,orPMA.

Adevicethatreachesthemarketviathe510(k)processisnotconsideredtobe“approved”bytheFDA.Nevertheless,itcanbemarketedandsoldintheUnitedStates.Theyaregenerallyreferredtoas“cleared”or“510(k)cleared”devices.

TheCEmarking,orformerlyECmark,isamandatoryconformitymarkingforcertainproductssoldwithintheEuropeanEconomicArea(EEA)since1985.TheCEmarkingisfoundevenonproductssoldoutsidetheEEA,becausetheyareeitherproductsmanufacturedintheEEAandhavebeenexported,ortheyweremanufacturedinothernationswhichhaveEEAasaprimemarket.ThismakestheCEmarkingrecognizableworldwideeventopeoplewhoarenotfamiliarwiththeEuropeanEconomicArea.

Therearecertainrulesunderlyingtheproceduretoaffixthemarking:

• ProductssubjecttocertainECdirectivesprovidingforCEmarkinghavetobeaffixedwiththeCEmarkingbeforetheycanbeplacedonthemarket.

• Manufacturershavetocheck,ontheirsoleresponsibility,whichEUdirectivestheyneedtoapplyfortheirproducts.

• Theproductmaybeplacedonthemarketonly ifitcomplieswiththeprovisionsofallapplicabledirectivesandiftheconformityassessmentprocedurehasbeencarriedoutaccordingly.

• ThemanufacturerdrawsupanECdeclarationofconformityandaffixestheCEmarkingontheproduct.

• Ifstipulatedinthedirective(s),anauthorisedthirdparty(notifiedbody)mustbeinvolvedintheconformityassessmentprocedure.

• IftheCEmarkingisaffixedonaproduct,itcanbearadditionalmarkingsonlyiftheyareofdifferentsignificance,donotoverlapwiththeCEmarkingandarenotconfusinganddonotimpairthelegibilityandvisibilityoftheCEmarking.

4.2.4. CE Mark

10


Sinceachievingcompliancecanbeverycomplex,CEmarkingconformityassessment,providedbyanotifiedbody,isofgreatimportancethroughouttheentireCEmarkingprocess,fromdesignverificationandsetupofthetechnicalfiletotheECDeclarationofConformity.

ResponsibilityforCEmarkinglieswithwhoeverputstheproductonthemarketintheEU,i.e.anEU-basedmanufacturer,theimporterordistributorofaproductmadeoutsidetheEU,oranEU-basedofficeofanon-EUmanufacturer.

ThemanufacturerofaproductaffixestheCEmarkingtoitbuthastotakecertainobligatorystepsbeforetheproductcanbearCEmarking.Themanufacturermustcarryoutaconformityassessment,setupanelectromagneticcomprehensivenesstechnicalfileandsignanECdeclarationofconformity.Thedocumentationhastobemadeavailabletoauthoritiesonrequest.

Fororganisationsthatwanttoprovetheir‘greencredentials’,ISO14001istheinternationalstandardthathelpsbusinesseswithimplementinganEnvironmentalManagementSystem,includingproducingan environmentalpolicyandobjectives.Thestandardcan

beusedtoimplementanenvironmentalmanagementsystemfromscratchorimproveonanexistingone,whilsttakingaccountofdiversegeographical,culturalandsocialconditionsthatmayexistinbusiness.

ISO17025isthemainstandardusedtoassessthecompetenceoftestingandcalibrationlaboratories.

Thestandarditselfcomprisesfiveelementsthatarescope,normativereferences,termsanddefinitions,managementrequirementsandtechnicalrequirements.ThetwomainsectionsinISO17025aremanagement

requirementsandtechnicalrequirements.Managementrequirementsareprimarilyrelatedtotheoperationandeffectivenessofthequalitymanagementsystemwithinthelaboratory.Technicalrequirementsincludefactorswhichdeterminethecorrectnessandreliabilityofthetestsandcalibrationsperformedinlaboratories.

OHSAS18001isaBritishStandardforoccupationalhealthandsafetymanagementsystems.Itexiststohelpallkindsoforganisationsputinplacedemonstrablysound

occupationalhealthandsafetyperformance.Itiswidelyseenastheworld’smostrecognisedoccupationalhealthandsafetymanagementsystemsstandard.

ISO20000isthefirstinternationalstandardforITservicemanagement.Itwasdevelopedin2005,andrevisedin2011.Itisbasedon,andintendedtosupersede,theearlierBS15000thatwasdevelopedbyBSIGroup.

ISO20000-1:2011(‘part1’)includes“thedesign,transition,deliveryandimprovementofservicesthatfulfilservicerequirementsandprovidevalueforboththecustomerandtheserviceprovider.ThispartofISO20000requiresanintegratedprocessapproachwhentheservice

providerplans,establishes,implements,operates,monitors,review,maintainsandimprovesaservicemanagementsystem(SMS).”

The2011version(ISO20000-1:2011)comprisesthefollowingninesections:scope,normativereferences,termsanddefinitions,servicemanagementsystemgeneralrequirements,designandtransitionofneworchangedservices,servicedeliveryprocesses,relationshipprocesses,resolutionprocessesandcontrolprocesses.

4.2.5. Environmental Standard: ISO 14001

4.2.6. Laboratory Standards: ISO 17025

4.2.7. Occupational Health and Safety Advisory Services, BS OHSAS 18001

4.2.8. IT Service Management: ISO 20000


11


ISO27001isanInformationSecurityManagementSystem(ISMS)standardpublishedinOctober2005bytheInternationalOrganizationforStandardization(ISO)andtheInternationalElectrotechnicalCommission(IEC).ItsfullnameisISO/IEC27001:2005,InformationTechnology,SecurityTechniques,InformationSecurityManagementSystems,Requirements.Thisstandardwasupdatedon25thSeptember2013andisnowknownasISO/IEC27001:2013.

ISO/IEC27001formallyspecifiesamanagementsystemthatisintendedtobringinformationsecurityunderexplicitmanagementcontrol.Beingaformalspecification

meansthatitmandatesspecificrequirements.Thestandardincludesthefollowing:

• Informationsecurityleadershipandhigh-levelsupportforpolicy

• Planninganinformationsecuritymanagementsystem; risk assessment; risk treatment

• Supportinganinformationsecuritymanagementsystem

• Makinganinformationsecuritymanagementsystem operational.

ISO22301isthebusinesscontinuitystandardformanagementsystems,itsupersedesBS25999whichwastheworld’sfirstBritishStandardforbusinesscontinuitymanagement.

ISO22301:2012specifiesrequirementstoplan,establish,implement,operate,monitor,review,maintainandcontinuallyimproveadocumentedmanagementsystemtoprotectagainst,reducethelikelihoodofoccurrence,preparefor,respondto,andrecoverfromdisruptiveincidentswhentheyarise.

Themoremanagementsystemsanorganisationhasinplace,themorethebusinesscouldpotentiallybenefit.However,managingseveralQualityManagementSystemswithareasofoverlapandduplicationhasoftenbeenconfusingandexpensive.

RecentlytheBritishStandardsInstitutehascreatedPAS99whichisaspecificationforintegratedmanagementsystems.Thistakesthehardworkoutofmanagingmorethanonecertifiedsystematthesametime.PAS99integratedmanagementsystemsallowanorganisationtostreamlinethewayitoperates,aligningallcommonstandardrequirements,andcuttingthecostofseparateauditsand administration.

ThePAS99detailsonesystemthatprovidesonesetofdocumentation,policies,proceduresandprocessesforalloftheirmanagementsystems.ItwasdevelopedusingtheISOguideforwritingmanagementsystemstandardsand typical integrated management systems might includeISO9001QualityManagement,ISO14001EnvironmentalManagement,BSOHSASOccupationalHealthandSafetyManagement,IS0/IEC27001Information

SecurityManagement,ISO/IEC20000ITServiceManagement,ISO22000FoodSafetyManagementandBSISO22301BusinessContinuityManagement,etc.

Anintegratedmanagementsystem,therefore,isbetterforbusinessesasitismuchsimplertomeetallstandardrequirementsusingonesetofpoliciesandprocedures.Multiplesystemscanbeauditedatthesametimeandstaffcanbetrainedtousemorethanonesystematatime–savingmoneyandboostingbothperformanceandefficiency.Communicationalsoimproveswhencompaniesareworkingtowardsacommonsetofobjectives,givingclearerrolesandresponsibilities.

Plus,administrationbecomeseasierwhenallsystemscanbemanagedusingthesameprocesses(andasingleelectronicsystem,seebelow)makingsurethatactionssupportorenhanceeachsystem.Allofthispointstowardcontinualinvestmentandimprovement,whichcangivecustomers,stakeholdersandsuppliersgreaterconfidenceintheorganisation’sabilitytodeliverintegratedandeffectivemanagementsystems.

4.2.9. Information Security Management: ISO 27001

4.2.10. Business Continuity Standard: ISO 22301

4.2.11. Integrated Quality Management System (PAS 99)

12


Theofficialtitleis:“ExpertWorkingGroup(Quality)oftheInternationalConferenceonHarmonisationofTechnicalRequirementsforRegistrationofPharmaceuticalsforHumanUse(ICH)”.

Thisinternationallyharmonisedguidanceisintendedtoassistpharmaceuticalmanufacturersbydescribingamodelforaneffectivequalitymanagementsystemforthepharmaceuticalindustry,referredtoasthepharmaceuticalqualitysystem,whichiscalledtheICHQ10model.

ICHQ10describesonecomprehensivemodelforaneffectivepharmaceuticalqualitysystemthatisbasedonInternationalOrganizationforStandardization(ISO)

qualityconcepts,includesapplicablegoodmanufacturingpractice(GMP)regulations,andcomplementsICH“Q8PharmaceuticalDevelopment”andICH“Q9QualityRiskManagement.”

ICHQ10isamodelforapharmaceuticalqualitysystemthatcanbeimplementedthroughoutthedifferentstagesofaproductlifecycle.MuchofthecontentofICHQ10applicabletomanufacturingsitesiscurrentlyspecifiedbyregionalGMPrequirements.ICHQ10isnotintendedtocreateanynewexpectationsbeyondcurrentregulatoryrequirements.Consequently,thecontentofICHQ10thatisadditionaltocurrentregionalGMPrequirementsis optional.

GoodManufacturingPractices(GMP)arethepracticesrequiredinordertoconformtoguidelineslaiddownbyagencieswhichcontrolauthorisationandlicensingformanufactureandsaleoffood,drugproducts,andactivepharmaceuticalproducts.Theseguidelinesarelaiddownwiththeintentionofprovidingminimumrequirementsthatapharmaceuticalorafoodproductmanufacturermustmeetwhilemanufacturingdrugsorfoodproducts,whichthenassuresthattheproductsmanufactured/producedareofhighqualityanddo notposeanyrisktotheconsumerorpublic.

IntheUnitedKingdom,theMedicinesAct(1968)coversmostaspectsofGMPinwhatiscommonlyreferredtoas“TheOrangeGuide”,whichisnamedsobecauseofthecolourofitscover;itisofficiallyknownasRulesandGuidanceforPharmaceuticalManufacturersandDistributors.

WithintheEuropeanUnion,GMPinspectionsareperformedbyNationalRegulatoryAgencies–e.g.GMPinspectionsareperformedintheUnitedKingdombytheMedicinesandHealthcareproductsRegulatoryAgency(MHRA).

GMPsareenforcedintheUnitedStatesbytheU.S.FoodandDrugAdministration(FDA).Theregulationsusethephrase“currentgoodmanufacturingpractices”(cGMP)todescribetheseguidelines.

Othergoodpracticesystems,alongthesamelinesasGMPexist,andareoftenreferredtoasGxPs:

• GoodLaboratoryPractice(GLP),forlaboratoriesconductingnon-clinicalstudies(toxicologyandpharmacologystudiesinanimals);

• GoodClinicalPractice(GCP),forhospitalsandcliniciansconductingclinicalstudiesonnewdrugsinhumans;

• GoodDistributionPractice(GDP)dealswiththeguidelinesfortheproperdistributionofmedicinalproductsforhumanuse.

AlltheabovefollowasimilarcoreofQualityManagementSystemprocessesbutalsohavekeyfocusedproceduresandprocessesonthedifferingpractice.

4.3. ICH Q10 Pharmaceutical Quality System

4.4. GMP, GxPs


14


GoodAutomatedManufacturingPractice(GAMP®)isbothatechnicalsubcommitteeoftheInternationalSocietyforPharmaceuticalEngineering(ISPE)andasetofguidelinesformanufacturersandusersofautomatedsystemsinthepharmaceuticalindustry.Morespecifically,theISPE’sguide:TheGoodAutomatedManufacturingPractice(GAMP®)GuideforValidationofAutomatedSystemsinPharmaceuticalManufacture,describesasetofprinciplesandproceduresthathelpensurethatpharmaceuticalproductshavetherequiredquality.One

ofthecoreprinciplesofGAMPisthatqualitycannotbetestedintoabatchofproductsbutmustbebuiltintoeachstageofthemanufacturingprocess.ThelatestreleaseGAMP®5istitled:AriskbasedapproachtoComputerSystemsValidation.

GAMP®isaguidelinethatdescribeshowtovalidatecomputersystems,i.e.providedocumentedevidencetoprovethatcomputersystemsinthepharmaceuticalindustryworkaccordingtoagreedspecifications.

Let’stakeISO9001asthekeyandcorestartingpointforaQualityManagementSystemwhichfocusesonmeasurement,monitoring,improvementandadequateresourcestoensuretheimprovementsaremade.

ThecoreofaQualityManagementsystemisnormallyaQualityManual.Thisisadocumentcreatedusingastandardwordprocessorandtypicallyrangesfrom5–25pages.Itisreallyahighlevelsummaryofthemanagementsystemthatisbeingadoptedandoftenreferstothehighlevelstandardthatyouareaspiringtoconformto.UsingISO9001asabaseline,thenthiswillalsodetailthemanagementstructureandwhoisresponsibleformanagingthequalitysystem,normallyreferredtoastheQualityManager.

Thelistbelowdetailsthe19coreelementsof9001,mostotherqualitymanagementsystemscovermoreorlessthesameareasthatarenormallyfoundinaqualitymanual.Thequalitymanualistypicallyahighlevelreferencepoint,wheretheactualdetailisthenfoundinfurtherproceduresorStandardOperatingProcedures(SOP’s):

• QualityManual

• ManagementStructure

• Documentation

• RecordsManagement

• Change Control

• CustomerRelationshipManagement

• ProductsandServiceDelivery

• ProductsandServiceDevelopment

• EnvironmentManagement

• HumanResources

• SupplierandOutsourcingManagement

• EquipmentMaintenanceandCalibration

• Purchasing

• MonitoringofCustomerSatisfaction

• InternalAudits

• MonitoringProductionandServiceDelivery

• AnalysisofPerformanceoftheQMS

• CorrectiveActionandPreventativeAction

• ManagementReview

Typically,therearetwokeyaspectstoaquality managementsystem:

Thefirstaspectis:Whatdoesyourbusinessdo,andhowdoesitcarryitoutonaday-to-daybasis?Isitaservice/consultancybusinessdesigninganewproduct?Alaboratorysampletestingfacility?Oramanufacturingfacility?

Eachbusinessisdifferentandthustheprocessesaredocumentedinstandardoperatingprocedures.Theseproceduresdescribeindetailhowyourbusinessfunctionsonaday-to-daybasis.Oncetheprocedureshavebeenwritten,formaltrainingrecordsarerequiredto provideevidencethatthetraininghasbeencarriedoutadequately.Alltheseproceduresneedtoconformtoyourdocumentationstandardsprocedurethathasbeenpreviouslycreated,reviewedandapproved.

Aswellasprocedures,awholeseriesofformsarerequiredtotrackandrecordthedocumentedevidence,inISO9001thisiscalledrecordsmanagement.Externalauditorsmusthave‘documentedevidence’thatactionsandactivitieshavebeencarriedout.

4.5. ISPE GAMP®5

5. Part2:PaperBasedQualityManagementSystems


15


Thesecondaspectis:Thestandardqualityprocessesthatarerequiredacrossallbusinessesinalldifferentindustrysectors.Typically,theseare:

• DocumentationManagement,ControlandIssue

• RecordsManagement,includingtrainingrecords

• ChangeControlManagement

• MonitoringofCustomerComplaints

• InternalAudits

• NonConformance

• CorrectiveActionandPreventativeAction

Oncetheaboveprocessesareinplaceandthequalitymanualandprocedureshavebeenreviewedandapprovedtheninternalauditingcantakeplace,whichisasystematiccheckofeachpartofthequalitysystemandprocesses.

SettingupaQualityManagementSystemwillrequirenumerousprocedures,forms,recordsandprocesses–addinguptoalotofpaperwork!Inapaperbasedqualitymanagementsystemthefollowingimagescanapply.

Setofringbinders In-traypiledupwithpaperdocumentsandforms

QualityManagerpreparingforanaudit

Organisedfilingcabinet

Figure 5: Example of paper based systems.

MostpaperbasedqualitymanagementsystemsinSMEsuseabaseofelectronicsystems.Acombinationofwordprocessors,spreadsheetsandadhocdatabasesareused,allrunningonaninformalITInfrastructure.Thecorebasedocumentsarestoredondesktops,laptops,servers,etc.Insomecasesthisisinanorganisedfolderstructure,inothercaseslessorganised.Often,thereisnoformalbackupandsystemsecuritystrategyandnoprotectionortraceabilityonwhoedits,updatesanddeletesfilesandotherqualityrecords.

InsomecasestheITdepartmentorjustsomeonewithsomeITskillscanquicklycreateasimpledatabaseapplicationtomanagesomeofthequalityrecordsrequired(asaquickfix).Quickly,however,thisbecomesproblematicastherearethenissuesaboutaccesscontroltothesystem,whomanagesandmaintainsthesystem

andtheinitialshortterm(quickfix)benefitsarequicklylostandovertakenbycomplexITdevelopmentandsupportissues.

Figure6isanexampleofhowadhocspreadsheetsanddatabasescanresultinadiverseand‘unintegrated’system.

Suchanadhocsystemisverydifficulttomaintain,particularlyasacompanygrows,andifinaformallyregulatedindustrysuchasMHRA,FDA,etcthenthefollowingexampleismoreorlessunvalidatable,hencethedataresidingwithinthesystemscannotbeusedasevidenceduringregulatoryinspections.

HenceSMEseitherhaveastandalonepaperbasedsystemorthereareoftentwosystemsrunninginparallel;asimplepaperbasedsystemandtheadhoc,hybrid,unvalidatablesystem.

5.1. Managing Paper Based Quality Management Systems

16


• TheuseofKeyPerformanceIndicators(KPIs)toprovidevisibilityandtodemonstratethelevelofqualityofanorganisationisdifficultusingapaperbasedsystem.ElectronicQualityManagementSystemsprovidevisibleKPIstomanagement.Staffusinginformationmanagementsystemstohelpfollowqualityprocessesandprocedurescanhelptoimprovevisibilityandlevelsofquality.

• Searchingfordocumentsandformsisimpracticalwithpaperonlybasedsystems.

• Documentsandformssentroundforreviewandapprovalarenottrackable.Oftendocumentscanbehiddeninin-trays(Figure5).

WhilstinsomecasestheQualityAdministratororDocumentandRecordsAdministratormaybeextremelyefficientandwellorganised,itisstillpotentiallydifficulttofinddocumentsandformsandtosearchforinformationwithindocumentsandforms.

Inasmallorganisation,manyringbindersareoftenfoundwiththelatestversionofstandardoperatingprocedures.Onesmallorganisationoflessthan100

peoplehad30RingBindersspreadaroundindifferentlocations.Theadministrativeburdentookatleast2daysamonthtokeepthesebindersuptodatebyaddinginnewandupdatedprocedures,andremovingredundantprocedures.Notonlywasthiscostingtimeandmoneyforadministrationbutalsothecostofprintingandpaper.Italsoleadstounfortunateerrors,asmanagingsuchasystemispronetohumanerror.

5.2. Some Key Problems with paper based Quality Management Systems

Figure 6: Example of ad hoc, hybrid, unvalidatable system.

DisparateSystem

Excel Spreadsheets

Quality Management System

Issue Tracking System

ProjectDocumentation

Training Records

ChangeControlSystem

✔✘


17


• Asbusinessesgrowitisincreasinglydifficulttomanagethenumerousspreadsheetsandadhocdatabasesthatarecreatedtomanagequalitydocuments,processesandrecords.

• ForclientswithFDA,MHRAandothersimilarregulatoryrequirementsitisvirtuallyimpossibletovalidateanadhoc,bespokeITsystemusedtostoreQualityManagementSystemsdocumentation.

• ITInfrastructureandNetwork(andformalQualification)isvitaltoensuregoodaccessandsecurityandthecostsassociatedwiththisareburdensomeforsmallbusinesses.

• Inmanycasespaperbasedsystemscannotbemanagedandcontrolledwellandunlessthereistrueoverallvisibilityofallqualityrecordsanddatathenanorganisationcouldwellhaveseriousqualityissues.ThisisoftencalledtheTipoftheIceberg(Figure7).Whilstmaybe10%ofthequalityissuesarevisible(abovethewater),90%ofthequalityissuesareinvisible(underwaterinthehiddenpaperchase).

Figure 7: Tip of the Iceberg.

Whilethegeneralprinciplesofqualitymanagementhaveremainedconsistentformanyyears,theITandelectronicsystemsandsolutionsusedtoensuretheproductionanddeliveryofhighqualityproductsandprocessesacrossthevaluechainhavechangeddrastically.

Companiesinitiallydevelopedspreadsheetsandadhocdatabasemanagementsystems,whichwereusedtomanuallymonitorandanalysequalitydata.Withdevelopmentsintechnology,therewasamovementtowardcompanieseitherimplementingpointqualitysolutions(manyofthemhomegrown)orqualityspecificmodulesinERPsystemstomanagequality.Inbothcases,thevastmajorityofcompaniesfailedtomeetthebusinessandtechnicalrequirementsofglobalmanufacturingcompanieswithrespecttoaQualitySolution.

Asaresult,manyorganisationsnowhaveadisjointed,broadsetofsystemsthatdon’teasilycommunicatewithoneanother.Improvementswiththesesystemsareoftenlocalised,lackingtheglobalvisibilityneededtotrulymanagequality.

Withtheneedinthemarket,anewsoftwarecategoryhasemerged:ElectronicQualityManagementSystems(EQMS).(InsomecasesEQMScanalsostandforEnterpriseQualityManagementSystems).

Inessence,anEQMSisasoftwaresolutionspecificallydesignedtomanageQualityProcesses,Documents,and Data.

6. Part3:ElectronicQualityManagementSystems(EQMS)6.1. What is an Electronic Quality Management System?

ADocumentManagementSystem(DMS)isacomputersystem(orsetofcomputerprogrammes)usedtotrackandstoreelectronicdocuments.Itisusuallyalsocapableofkeepingtrackofthedifferentversionsmodifiedby

differentusers.Today,mostofthesesystemsarereferredtoasanElectronicDocumentManagementSystem.AnEDMSisacorepartofanElectronicQualityManagementSystem.

6.1.1. What is an EDMS?

18


InsomecasesanEDMScanbejustafolderstructureorrepositoryfordocuments.Inthiscase,documentsaredraggedanddroppedintofolderstructuresthathavesome simple organised hierarchy. In this case there are oftenintelligentsearchenginesthatcanaccessthecontentofthedocumentandthedocumentproperties.ThisisoftenreferredtoasUnstructuredDocuments.

However,itisalsopossiblewhenaddingdocumentstoanelectronicsystemtoaddadditionaldatafieldsaspartofthedocument.ThisisoftencalledStructuredDocuments,orMetadata.Additionaldatasuchasdocumentowner,reviewerandapprovercanbeadded,andelectronicsignaturerecords,alongwithmanyadditionaldatafieldssuchasrequiredbydate,reviewbydate,documentexpirydate,documentversionnumber,documentreferencenumber,etc.

WhenselectinganEDMSitisimportanttoensurethatthereistheabilitytoaddstructureddata,sothatmetricsandadashboardcanbemadeavailableshowingtrendinginformationandprovidingtheabilityforanalert/trafficlightsystemtomanageandmonitordocumentstatus.

Inasimilarway,itisimportanttoensurethatthereissufficientcapabilityoftheEQMStoensurethatdatafieldscanbeaddedtoqualitymanagementrecords,suchasdataforCAPA,CustomerComplaints,TrainingRecords,ChangeControl,Audits,etc.Ifthisdataisstoredinastructuredwaythen,asabove,theinformationcanbetrendedandmadevisibleviaasimpledashboard.(Currentsimplepaperbasedsystems,withaseriesofspreadsheetsinusetomanagethisaspectofqualityandprovidesimplevisibilityisdifficult,timeconsumingandnotavalidatableoption.)

6.1.2. Structured and Unstructured Documents and Data

TherearenorealregulationsthatneedtobeappliedtothesetupandconfigurationofarelativelygenericuserofanElectronicQualityManagementSystem,suchassetupandconfigurationforISO9001or13485.However,ifanindependentauditorispresentedwithevidenceofconformance,andthisisonlyfromtheEQMSITsystem,i.e.therearenopaperprintouts,thentheauditormayrequestsomeformofevidencethattheITsystemhasbeensetupandconfiguredcorrectly.

However,withrespecttoorganisationsthatcomplytoGMP,evidenceofComputerSystemValidationisrequired.

ThemainUSFDAregulationtocontrolElectronicRecordsis21CFRPart11.ThisregulationissimilartotheEUEudralex,rulesGoverningMedicinalProductsintheEuropeanUnion,Volume4,GoodManufacturingPractice,MedicinalProductsforHumanandVeterinaryUse,Annex11:ComputerisedSystems.

TheEUannexappliestoallformsofcomputerisedsystemsusedaspartofGMPregulatedactivities.Itstates:“Theapplicationshouldbevalidated;ITinfrastructureshouldbequalified”andwhereacomputerisedsystemreplacesamanualoperation,“thereshouldbenoresultantdecreaseinproductquality,processcontrolorqualityassurance.Thereshouldbenoincreaseintheoverallriskoftheprocess”.

Thereisoftenconfusionregardingthistopicandtherearenumerousregulationsfromwideindustrysectors.IfweconsiderorganisationsthatneedtocomplywithGMP,thentheEUEudralexVolume4,Annex11,andUSFDA21CFRPart11,areagainthekeyregulationsinthissector.Conformancetotheseregulations–asinmostcases,theyarequitestringentrulesandregulations–wouldensurethatyouarecompliantwithmostotherindustryregulations.

WithrespecttoAnnex11,putverysimply,ifyouareusinganelectronicsystemtostorequalitycriticalrecords,

inparticularcriticalproductorpatientdata,thenyoucanusesuchasystemtoprovideevidenceofyourQualityManagementSystem,onlyiftheelectronicsystemhasbeenvalidatedanditisrunningonaformallyqualifiedITandNetworkInfrastructure.

Inessence,andverysimply,onceloggedintoasystem,whenaskedtoapprovearecordbysigningelectronically,e.g.adocument,CAPA,outstandingauditaction,etc.theusersimplyhastore-entertheirusernameandpasswordandareason/objective/capacityforsigning.

6.2. What regulations apply to an EQMS?

6.3. Electronic Records and Electronic Signatures


19


TherearemanyadditionalsoftwaresystemssuchasEchoSign,Cosign,Docu-Sign,etcthatallowausertoestablishasecuresignaturesystemandtherearemany

othertypesofsystemsusingswipecards,biometrics,finger/thumbprintsthatarefartoonumerousandcoveramuchwidertopicthanrequiredinthisdocument.

Thefollowingsectionexplainswhy,insomecases,EQMSsystemsmustbevalidated,whatvalidationmeans,andwhattheimpactisontimescalesandcosts.

Inmanycases,start-upcompaniesthatarestillinanR&Dphase,orperhapscreatingamedicaldevicerequiringaCEmark,donotbylawrequireanElectronicDocumentManagementSystemtobevalidated.However,intermsofITsoftwareprocurementitissensibletosaythatvalidatingsuchasystemisgoodpractice.

However,ifyourorganisationisGMP,i.e.manufacturingproductsthatarepartofclinicaltrialsorbeingmanufacturedforenduserconsumption,i.e.patients,thenEudralex,TheRulesGoverningMedicinalProductsintheEuropeanUnion,Volume4,GoodManufacturingPractice,MedicinalProductsforHumanandVeterinaryUse,Annex11:ComputerisedSystems,comesintoforce(21CFRPart11,ifexportingtotheUSA).

Annex11appliestoallformsofcomputerisedsystemsusedaspartofGMPregulatedactivities.

Thefollowingareextractstakenfromtheregulation

• Acomputerisedsystemisasetofsoftwareandhardwarecomponentswhichtogetherfulfilcertainfunctionalities.

• Theapplicationshouldbevalidated;ITinfrastructureshouldbequalified.

• Whereacomputerisedsystemreplacesamanualoperation,thereshouldbenoresultantdecreaseinproductquality,processcontrolorqualityassurance.Thereshouldbenoincreaseintheoverallriskofthe process.

6.4. Does an EQMS need to be Validated, and if so, how?

TheFDAGuidelinesonGeneralPrinciplesofProcessValidation,May1987,definesvalidationas:

“Establishingdocumentedevidencewhichprovidesahighdegreeofassurancethataspecificprocesswillconsistentlyproduceaproductmeetingitspre-determinedspecificationsandqualityattributes.”

Inthepharmaceutical,medicaldevice,andotherregulatedindustriessuchasfood,blood,tissueandclinicaltrials,validationisthedocumentedactofdemonstratingthataprocedure,process,andactivitywillconsistentlymeettheexpectedresults.Itoftenincludesthequalificationofsystemsandequipment.Itisarequirementforgoodmanufacturingpracticeandotherregulatoryrequirements.

Sinceawidevarietyofprocedures,processes,andactivitiesneedtobevalidated,thefieldofvalidationisdividedintoanumberofsubsectionsincludingcleaningvalidation,processvalidation,analyticalmethodvalidation,equipment,andcomputersystemvalidation(CSV,GAMP®5).

Theactivityofqualifyingsystemsandequipmentisdividedintoanumberofsubsectionsincludingthefollowing:

• Validationplanning • Designqualification(DQ) • Installationqualification(IQ) • Operationalqualification(OQ) • Performancequalification(PQ)

• Validationreporting

TheabovethereforeappliestothevalidationofanElectronicQualityManagementSystem.TheISPEGAMP®5providesexcellentguidanceonhowtovalidatesoftwaresystemsandprovidesthefollowingtableofsoftwarecategoriestohelp,Figure8.

MostoftheEQMSsolutionsavailabletodayarein factGAMPcategory4or5,i.e.highlyconfigurable,customisable,orbespoke.ThemajorityoftheTier1vendorsprovidesuchsoftwaresothatitcanmapontotypicallylargerandglobalpharmaceutical,medicaldeviceandsimilarorganisations.InGMPorganisationsthesesystemsmustbevalidated,andGAMPcategory4and5systemstakemuchlongerandaremoreexpensivetovalidate.

6.4.1. What is Validation and What is Computer Systems Validation?

20


Figure 8: GAMP® software categories.

Category GAMP®51 Infrastructure Software (OS, middleware, etc)2 No longer used3 Non-configured Software4 Configured Software5 Custom Software

ImplementinganEQMSbecomesaprojectinitself,andfollowingtheGAMP®guidelinesneedsafullvalidationlifecycle,startingwithavalidationplan,userrequirements

specification,functionaldesign/configurationdesign,severallayersoftestspecificationsandprotocols,etc.

WithreferencetoFigure1itisnosurprisethereforethattheperceptionofimplementinganEQMSistimeconsuming,andexpensive,particularlyifithastobeformallyvalidated.

SMEs,untilrecently,havenotbeenawarethatGAMPCategory3ElectronicQualityManagementSystemsarenowavailable,andasthereisverylittleconfigurationthecostsarealsomuchsmallerandeasilyaffordablefortheSMEmarket.

Figure 9: Software Categories & Validation Effort.

InfrastructureSoftware

(Middleware, OS, etc)

Non-configuredsoftware

Configuredsoftware

Customsoftware

Also,thereisthecomplicationofon-premisesolutions(i.e.wheretheapplicationisrunningonaservermanagedbytheuser,ontheuser’ssite).

FormostSMEs,managinganinternalITinfrastructurehasmanypotentialproblems.(SeeFigure10).Thisisnotcosteffectiveandthusnormallyrulesouton-premisesolutionsforanEQMS.

ForGMPorganisations,thereisalsotheregulationthattheunderlyingITinfrastructureandnetworkmustbequalified.

AspartoftheimprovementoverthepastfewyearsinITNetworks,Communications,Security,Speed,Reliability,etcwecanthereforemoveourfocusto‘cloud’basedsolutions,orpreferablySoftwareasaService(SaaS)andtheadvantagesandopportunitiesthatthisoffersSMEorganisationsforsystemssuchasanEQMS.SeeSection6.5.

Asdetailedabove,Eudralex,Volume4,Annex11statesthatacomputerisedsystemwhichfulfilscertainfunctionalityusedaspartofaGMPregulatedenvironmentmustbevalidatedandtheITInfrastructureshouldbequalified.

Thisappliestoon-premisesolutions,i.e.thehardwareandserversarestoredandmaintainedatyourfacility.

SoftwareasaServicesolutionsforanEQMSensuresthatsuchITInfrastructureandNetworkisalreadyfullyqualifiedandthiscomplieswiththeregulatoryrequirements.

• ITSupportStaff

• ITInfrastructure

• Backup

• Security,AccessandData

• Air Conditioning

• FireWalls

• Fire

• DisasterRecovery

• Maintenance

• NetworkPerformance

• Qualified(InstallationQualified)

6.4.2. QualificationofNetworkandITInfrastructure


21


Figure 10: Typical internal IT and Infrastructure Issues.

22


Figure11isatypicaldatacentrethatshowshowtheITmarketischangingandthaton-premisesoftwareisnowbeingreplacedbycloudcomputing.

EvenifanSMEwishedtopurchaseanElectronicQualityManagementSystem,forthereasonsdetailedaboveitisjusttooexpensivewithrespecttocomputersystemsvalidationandtomanageandcontrolITinfrastructure.Anon-premisesolutionisnolongeraffordable,practicalorvalidatable.RefertoFigure12.

DatacentresandSoftwareasaService,withdatacentresconformingtoISO27001InformationSecurityManagementSystemandISO22301theBusinessContinuityStandardarenowavailableandaffordableforSMEs.

Thus,withtherecentconsolidationofcloudcomputingandtheincreasingspeedandsecurityoftheinternetandmobileconnectivity,i.e.4G,thishasreallyensuredthatSMEscannowstarttoreallyadopt‘Cloud’basedsoftware,ormoreappropriatelyreferredtoasSoftwareasaService,asthesesystemscanbeformallyvalidated.

6.5. Software as a Service (Cloud Computing)

Figure 11: Typical Data Centre with Qualified Infrastructure and Network.


23


Figure 12: Impact of Cloud Computing on Enterprise IT Spending.

2008

Extrapolation based on time-series analysis, assumingthat factors promoting cloud computing through 2008–13

( ) remain constant beyond 2013 until 2020 ( )

0.36% 0.74% 1.25% 2.34%4.30%

7.89%

10.70%

14.49%

4%

8%

12%

Perc

ent o

f on-

prem

ise s

pend

ing

repl

aced

by

cloud

com

putin

g

Percent of On-Premise Spending Replaced by Cloud Computing

The cloud computing market is forecast to grow at a rate of 36.6 percent during 2008–13 to $55.2 billion in 2013. It will probably reduce overall technology spending by $30–39.4 billion in 2013, replacing 14.5 percent of global on-premise spending in 2020.Source: Research and Innovation Estimates

Enterprise spending for on-premise solutions will fall, as cloud computing reduces the need for licenses, hardware and software.

Cloud Computing Spending Forecast ($ Billion)

16%

0%

2010 2012 2014 2016 2018 2020

0%10.9

1722.5

32.4

43.1

61.2

87.2

14.420.6

27.3

38.8

55.240%

60%

20%

80%

100%

2008 2009 2010 2011 2012 2013

Adjusted cloud computingspending forecast

Forecasted cloud computingspend – secondary sources

Clo

ud c

ompu

ting

spen

ding

($ B

illion

)

33

66

22

4343

22

33

1414

2222

1

7

1

7171171

24


WhenmovingtoanElectronicQualityManagementSystemthereareseveralchoiceswithrespecttodataand data migration.

Ifthecompanyisrelativelynew,astart-uporhasasmallsetofexistingqualitydataitmightbesensiblejusttostarttobuildupthenewsystemwithaseriesofmanualdataentrytasks.

Ifthecompanyalreadyhasanestablishedormaturehybrid/paperbasedsystemthenoftenthereisasignificantamountofdatatobeentered,ormigrated,intothenewelectronicsystem

Examplesofdatatobemigrated:

• Qualitymanual,standardoperatingprocedures,workinstructions,templates

• OngoingandclosedCorrectiveAndPreventativeActions(CAPA)

• Ongoingandclosedaudits

• Ongoing and closed change controls

• Trainingrecords

• Equipmentcalibration,maintenance,serviceandcleaning records

• OngoingandclosedNonConformances

• OngoingandclosedCustomerComplaints

Inmostscenariositissensibletohaveadatamigrationplan.ThisshouldbeagreedwithyourITSystemsIntegrationpartnerorsupplieroftheEQMSsoftwareandshouldcoversuchthingsas:

• Quantityandsizeofdata

• Data cleansing

• Structureofdata

• Translationfromlegacyformattothenewsystemformats/metadataetc.

• Useofautomatictools/scripts

• Periodsofparallelrunning/cutover

• Validationofthemigrateddataifregulationsstate thisisarequirement,e.g.Annex11.

6.6. Migrating Existing Data into an EQMS?

Manyoftheabovesectionsrefertoinformationanddata.Thisinformationinapaperbasedsystemisdifficulttocollateandmakevisibletomanagement.

Often,spreadsheetsoradhocdatabasesareusedtostoreandcollatethisinformation.ReferringtotheSection6.4.1inaGMPregulatedenvironmentthesespreadsheetsmustalsobevalidated.

Figure13isatypicalexampleofhowQualityandCompliancemetricsandmanagementinformationcannowbemadeavailableviaanonlineelectronicsystem.NolongerareQualityissues‘below’theiceberg,orsweptunderthecarpet.Visibletrafficlightsystemsareavailabletoshowtomanagementareasofconcern.

6.6.1. Quality Metrics and Compliance Dashboard

Figure 13: Typical Quality and Compliance Traffic light dashboard.


Figure 13: Typical Quality and Compliance Traffic light dashboard.

26


IfyourorganisationisstartingtocreateaQualityManagementSystemtherearesoftwareproducts availableinthemarketthatcannowhelptospeed uptheprocessatanaffordableprice.

NotonlywilltheinitialmanagementofQualityandCompliancebecomemoreeffective,theintroductionofanElectronicQualityManagementSystematearlyphasesinthegrowthofabusinesswillbecomeevenmoreeffectiveasorganisationsgrow.

IfyourorganisationalreadyhasaQualityManagementSystemandwouldliketomigratetoanElectronicQualityManagementSystemthenbasedontheabovesectionsitisnowachievableastherearesystemsinthemarketthatareaffordableandcanbeupandrunningwithinhours,andvalidatedtomeetMHRA/FDArequirementswithindays!

YourorganisationdoesnotneedtohaveacomplexinternalITinfrastructureandmosttypicalconcernsregarding compliance to national and international regulationswithrespecttoElectronicRecordsandElectronicSignatureshavenowbeentakenawayandwiththeavailabilityofSoftwareasaServiceuserlicencescanbepurchasedfromaslittleasoneuser.

IfyouareinvolvedinQuality,andinparticularifyouaretheQualityDirector,QualityManager,RegulatoryDirector,OperationsDirector,etcyoucannowsuggesttotheChiefExecutive,FinanceDirector,etcthatyouwanttoimprovethemanagementandmaintenanceofyourQualitySystems,thusenhancingyouroverallbusinesscredentials,byintroducinganElectronicQualityManagementSystem.Whendiscussingtheprice,itisnowpossibletostatethatitismoreorlessthesamepricethathasbeenpaidfortheorganisation’saccountingandfinancepackage,whereitisseenthatanelectronicsystemisindustrystandardandmandatory.

ThefollowingfunctionalityandreasonsbelownowdetailwhyanElectronicQualityManagementSystemisaffordableandavailableforSMEs,andinparticularSMEsinaregulatedenvironment.

• DocumentManagementincludingElectronicRecordsandSignatures

• Qualityprocessesincluding:CAPA,Non-Conformance,Complaints,Audits,ChangeControl,TrainingRecords,EquipmentManagement,AuditTrail,Alerts,Metricsanddashboard.

• SoftwareasaService(costeffectiveuserbasedpricingwithaslittleasoneuser)

• DatainasecureDataCentrewithISO9001, ISO27001andISO22301

• NoHardwareorInfrastructurecosts,thusno capitaloutlay

• SetupandConfiguredwithinaday

• Fullyvalidatedwithin5days(basedonGAMPCategory3system,withminimalconfiguration)

FinalConclusion:IfwereferbacktotheExecutivesummaryandthestartingpointofthisGoodPracticeGuide.

“MostSMEsuseSageAccountingorQuickBookstomanagetheirday-to-dayaccountingandfinancialneedsandmostuseaCustomerRelationshipManagement(CRM)softwareproducttomanagetheirdaytodaysalesandcustomers.Whydon’ttheycreatetheirownsoftwareorusebespokespreadsheetsanddatabases?Becauseinessenceitisa‘no-brainer’nottouseoneofthesesystems,astheycanbeprovided‘out-of-the-box’andsetupandbeconfiguredandinusewithinhoursatanaffordableprice”.

ThisGoodPracticeGuidedemonstrateshowtheuseofSoftwareasaServicehasprovidedfunctionallyrichElectronicQualityManagementSystemsatanaffordablepriceforSMEs.

TheuseofElectronicQualityManagementSystemsinSmalltoMediumcompaniestomanageQualityandCompliance,shouldbeanalogoustousinganElectronicFinancialSystem,suchasSageforAccountingandFinance…UsinganEQMSshouldbea‘no-brainer’.

7. Conclusions


27


MHRA–http://www.mhra.gov.uk/

FDA–http://www.fda.gov/

ISO–http://www.iso.org/iso/home/standards.htm

ISPEGAMP®–http://www.ispe.org/

ICH–http://www.ich.org/

CEMark–https://www.gov.uk/ce-marking

Annex11–http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-2011_en.pdf

For further information please contactEmail:[email protected] Call:+44(0)1606871113orvisit www.compliance-control.com

8. Acknowledgements,ReferencesandSources
