Upload
lecong
View
214
Download
1
Embed Size (px)
Citation preview
United Kingdom Science Park Association
Good Practice GuideElectronic Quality Management System for SMEs
BUILDING • TECHNOLOGY • BUSINESS
AUDITS
MET
RICS
TRA
ININ
G
DO
CUM
ENTSPROCEDURES
EQUIPMENT
CAPA
NO
N-
CON
FORM
AN
CE
COMPLAINTS
CHANG
E
CON
TRO
L
2
Copyright 2014 © Compliance Control Ltd.BUILDING • TECHNOLOGY • BUSINESS
Table of Contents1. Foreword 3
2. Introduction 3
3. Executive Summary 4
4. Part 1: What is a Quality Management System? 54.1. DefinitionsofQualityand QualityStatements 6
4.2. QualityStandardsandRegulations 8
4.2.1. ISOQualityManagementSystem 8
4.2.2. ISO9001 8
4.2.3. MedicalDevices:MDD93/42/EEC, ISO13485,IEC62304,510(K) 8
4.2.4. CEMARK 9
4.2.5. EnvironmentalStandard:ISO14001 10
4.2.6. LaboratoryStandards:ISO17025 10
4.2.7. OccupationalHealthandSafety AdvisoryServices,BSOHSAS18001 10
4.2.8. ITServiceManagement:ISO20000 10
4.2.9. InformationSecurityManagement: ISO27001 11
4.2.10. BusinessContinuityStandard:ISO22301 11
4.2.11. IntegratedQualityManagementSystem (PAS99) 11
4.3. ICHQ10PharmaceuticalQualitySystem 12
4.4. GMP,GxP’s 12
4.5. ISPEGAMP®5 14
5. Part 2: Paper Based Quality Management Systems 145.1. ManagingaPaperBasedQuality ManagementSystems 15
5.2. SomeKeyProblemswithpaper
basedQualityManagementSystems 16
6. Part 3: Electronic Quality Management Systems (EQMS) 176.1. WhatisanElectronicQuality ManagementSystem? 17
6.1.1. WhatisanEDMS? 17
6.1.2. StructuredandUnstructuredDocuments andData 18
6.2. WhatregulationsapplytoanEQMS? 18
6.3. ElectronicRecordsandElectronic Signatures 18
6.4. DoesanEQMSneedtobeValidated andifsohow? 19
6.4.1. WhatisValidationandWhatis ComputerSystemsValidation? 19
6.4.2. QualificationofNetworkandIT Infrastructure 20
6.5. SoftwareasaService(CloudComputing) 22
6.6. MigratingExistingDataintoanEQMS? 24
6.6.1. QualityMetricsandCompliance Dashboard 24
7. Conclusions 26
8. Acknowledgements, References and Sources 27
3
ThisUKSPAgoodpracticeguidehasbeenproducedbyComplianceControl,oneofourBusinessAffiliates,andisfreelyavailabletoallofoursciencepark,researchpark,technologyparkandtechnologyincubatormanagementteamsandtheirbusinesssupportadvisors.Itisdesignedtohelpcompaniesimplementanew–orimprovetheirexisting–qualitymanagementsystem,andsowillalsobeasignificantresourceforowner-managers,qualitymanagers,ICTandoperationsstaffatmanyofthecompaniesresidinginourmemberlocations–inparticularthoseSMEswhosebusinessesareregulatedbyexternalbodies.
Wehaveaimedtoproduceaguidesufficientlyflexibletoberelevantandusefultoawiderangeofsectorsandsizeoffirm,butalsotocompaniesthathavepaper-baseddocumentqualitymanagementsystemswhowishtomigratetoanelectronicallybasedsystem.
Itrustreaderswillfindthisgoodpracticeguideastimulatingdocumentthatwillbeausefulguidetoyouandyourbusinessasyouseektoimproveyourqualitymanagement systems.
Paul Wright UKSPA Chief Executive
This good practice guide is designed to help companies implement a new, or improve their existing, quality management system
Thefirstpartofthisgoodpracticeguidefocusesonsomedefinitionsandexplanationsonunderstandingwhataqualitymanagementsystemisandsomecommonlyusedregulationsandstandards.Itaimstotakeawaysomeofthemythsandmisconceptionsregardingelectronicrecordsandelectronicsignatures(ERES),bysimplifyingtheregulationsandprovidinganexplanationofhowSMEscanuseelectronicsystemstomanagequality.
Thesecondpartexplainshowtoestablishasimplepaperbasedqualitymanagementsystem.
Thethirdpartexplainshoweventhesmallestofcompaniescannowuseanaffordableelectronicqualitymanagementsystemtooperateaqualitysystem.
Who Should Read This GuideThisguideistargetedatsciencepark,researchpark,technologyparkandtechnologyincubatormanagementteamsandtheirbusinesssupportadvisorsincludingtheownersandQualityManagers,OperationsandICTstaffoftenantcompanieswhosebusinessesareregulatedbyexternalorganisations,eg.ISO,MHRA,FDA,EU,etc.
ThisdocumenthasbeenwrittenbyDavidForrest,ChiefExecutiveofComplianceControlLtdandreviewedbyBobCrawshaw,DirectorandPrincipalConsultant,ComplianceControlLtd.
About Compliance Control LimitedComplianceControlLtdwasfoundedin2005andisaleadingspecialistinregulatorycompliance,qualityandvalidationservicesforabroadspectrumofindustries.RecentfundingfromtheTechnologyStrategyBoardhasenabledresearchanddevelopmentofanElectronicDocumentandQualityManagementSystemtargetedspecificallyatsmallgrowingcompaniesthatneedtoberegulated,whotraditionallywouldnotuseanelectronicITsystemfortheirQualityandComplianceManagementSystem.
Forfurtherinformationreferto www.compliance-control.com
1. Foreword
2. Introduction
Good Practice Guide: ElectronicQualityManagementSystemforSME’s
4
Copyright 2014 © Compliance Control Ltd.
MostSMEsuseSageAccountingorQuickBookstomanagetheirday-to-dayaccountingandfinancialneeds,andmostuseaCustomerRelationshipManagement(CRM)softwareproducttomanagetheirday-to-daysalesandcustomers.Whydon’ttheycreatetheirownsoftwareorusebespokespreadsheetsanddatabases?Because,inessence,itisa‘no-brainer’nottouseoneofthesesystemsastheycanbeprovided‘out-of-the-box’– setup,configuredandinusewithinhoursatanaffordableprice.
AsurveycarriedoutbyManchesterUniversityBusinessSchoolin2012askedthequestion:Howmuchdoesitcost,andhowlongdoesittaketoimplementafinancialsystem,aSales/CRMsystem,andanElectronicQualityManagementSystem(EQMS)?Thesurveywasbasedonapproximately300smalltomediumcompanieswithseverallargerorganisationsalsoresponding.
TheabovesurveywasfocusedmainlyonSMEclients,asitiswidelyknownthatmostlargeclientsalreadyuseanElectronicQualityManagementSystemtomanagetheirday-to-dayqualityandcompliancerequirementsbecausetheycanaffordthepricetagoftieroneElectronicQuality
ManagementSystemsoftwareproducts.Thesetieroneproducts,onthewhole,donotcome‘out-of-the-box’andthereforetaketime,resourcesandmoneytosetup,configureandcustomise(andvalidate),andthusaretypicallyaffordableonlybylargerorganisations.
3. ExecutiveSummary
Conclusions:
60%believedaFinancesystemcouldbesetupandimplementedbetween1weekto2months.
50%believedaSales/CRMsystemcouldbesetupandimplementedbetween1weekto2months.
60%believedanEQMSsystemcouldbesetupandimplementedbetween1monthto6months.
18%believedanEQMSsystemcouldbesetupandimplementedbetween7monthto11months.
Conclusions:
55%believedafinancesystemcouldbesetupandimplementedcostingbetween£1–10k.
67%believedaSales/CRMsystemcouldbesetupandimplementedcostingbetween£1–10k.
0%believedanEQMSsystemcouldbesetupandimplementedcostingbetween£1–10k.
80%believedanEQMSsystemcouldbesetupandimplementedcostingbetween£11–50k.
Figure 1: Durations for implementing finance, sales and quality management software
Figure 2: Cost of implementing finance, sales and quality management software
40%
30%
20%
10%
0%PERC
ENTA
GE
OF
RESP
ON
DA
NTS
30%
23%
15%
33%27% 27%
21%
25%
33%
7% 7%
18%
13%
18%
6%
1-2 Weeks
FINANCE SALES QUALITY
1-2 Months 3-6 Months 7-11 Months 12 Months & Above
80%
60%
40%
20%
0%PERC
ENTA
GE
OF
RESP
ON
DA
NTS
55%
67%
25%
16%
69%
7%4%
11%5%
7% 10% 8% 7%10%
£1k-£10k
FINANCE SALES QUALITY
£11k-£25k £26k-£50k £51k-£100k £101k & above
BUILDING • TECHNOLOGY • BUSINESS
5
Good Practice Guide: ElectronicQualityManagementSystemforSME’s
Forsmallerorganisations,therearealsoconcernsovertheuseofElectronicRecordsandElectronicSignatures,andinsomecasesthereareissuesofComputerSystemValidationofthesoftware.
ThisgoodpracticeguideisthereforetargetedmainlyattheSMEmarketspaceas,basedontheaboveevidence– inparticulartimescaleandcost–mostSMEstendtohaveamanualpaperbasedsystem,ahybridapproach,oran
unintegratedITsystemsapproachtoqualitymanagement,astheyperceivetheycannotaffordthetimeormoneytoimplementanElectronicQualityManagementSystem.
ThisgoodpracticeguideaimstoshowSMEshowtheycannowuseanElectronicQualityManagementSystemfortheirregulatory,qualityandcomplianceprocessesatanaffordableprice,basedonlatestadvancesofSoftwareandITInfrastructure.
AQualityManagementSystem(QMS)isacollectionofbusinessprocessesfocusedonachievingaqualitypolicyandqualityobjectives–i.e.whatyourcustomerwantsandneeds.(ChrisAnderson.WhatisaQualityManagementSystem?Bizmanualz,Nov18,2013.)
Itcanbeexpressedastheorganisationalstructure,policies,procedures,processesandresourcesneededtoimplementqualitymanagement.Earlysystemsemphasisedpredictableoutcomesofanindustrialproductionline,usingsimplestatisticsandrandomsampling.Bythe20thcentury,labourinputsweretypicallythemostcostlyinputs,sofocusshiftedtoteamcooperationanddynamics,especiallytheearlysignallingofproblemsviaacontinuousimprovementcycle.Inthe21stcentury,QMShastendedtoconvergewithsustainabilityandtransparencyinitiatives,asbothinvestorandcustomersatisfactionandperceived
qualityisincreasinglytiedtothesefactors.OfallQMSregimes,theISO9000familyofstandardsisprobablythemostwidelyimplementedworldwide.
OneofthemostcommontoolsforworkingonqualityinalongtermcyclicalandsustainablemanneristheDemingcircle(PDCA).TheDemingcirclewasdevelopedbytheAmericanstatisticianWilliamEdwardsDeming(1900–1993)whoworkedmainlyinJapan.ThemethodologycanbefoundinmostISOstandards:ISO9001,ISO17025,etc.ThefourelementsoftheDemingcircleare:
• Planwhatyouwilldoandhowyouwilldoit• Dowhatyouhaveplanned• Check theresults• Actorreacttothingsthatgowrongandinvestigate howtoimprove(further)
4. Part1:WhatisaQualityManagementSystem?
Dowhat you have planned
Planwhat you will do and
how you will do it
Checkthe results
Actor react to things that go wrong and investigate how to improve (further)
Figure 3: Deming circle (PDCA)
6
Copyright 2014 © Compliance Control Ltd.
Thefollowingaresomeextractsandexamplesfromthemanydifferingdefinitionsofquality:
• Manufacturingbaseddefinitionsareconcernedprimarilywithengineeringandmanufacturingpracticesandusetheuniversaldefinitionof“conformancetorequirements.”Requirements,Specifications,andDesignsarealreadyestablished,andduringmanufacturinganydeviationimpliesareductioninquality.Theconceptappliestoservicesaswellasproducts.
• Excellenceinqualityisnotnecessarilyintheeyeofthebeholderbutratherinthestandardssetbytheorganisation.
• Manufacturing:ameasureofexcellenceorastateofbeingfreefromdefects,deficiencies,andsignificantvariations,broughtaboutbythestrictandconsistentadherencetomeasureableandverifiablestandardstoachieveuniformityofoutputthatsatisfiesspecificcustomeroruserrequirements.
• Putsimply…qualityisthelevelofadherencetogoodprocedures.Ifasimplesetofprocedurescanbeputinplace,andstafftrainedaccordingly,thenthedefinedprocessesshouldproducequalityproductsand/orservices.
• Failuretocreateappropriateprocedures,lackofinitial,andongoingtraining,andpoorinternalauditingprocesseswilleventuallyleadtopoorqualityproductsandservices.
• Whereanorganisationproducesproductsorservicesthatmustcomplywithregulations,thelevelofqualityoftheorganisationisdefinedbythelevelofproceduresinplacetoensureconformancetothesetofregulationsthatmustbefollowed.Adequatestafftrainingregardingtheoperationalprocedures,combinedwithgoodinternalauditing,andasimpleandeffectiveCAPA(correctiveaction,preventiveaction)system,willensurecompliance.
• Asimplenon-conformance,deviationmanagementsystemprocess,includinginvestigationsfromcustomercomplaintsshoulddriverootcauseanalysisinvestigations,thusimprovingoverallquality.
4.1. DefinitionsofQualityandQualityStatements
Figure 4: Typical ISO 9001 Quality Circle.Re
so
urce Measure
Mon
itorIm
prove
Core Control Procedures
Statement of Purpose
Sales Development
Support Production
BUILDING • TECHNOLOGY • BUSINESS
8
Copyright 2014 © Compliance Control Ltd.
TherearemanystandardsandregulationsrangingfromISO(InternationalOrganizationforStandardization)suchasISO9001,14001,13485,17025,18001(OccupationalHealthandSafetyAdvisoryServices,OHSAS),20000,27000,andtheotherindustryandcountryregulatorybodies,suchastheUSFoodandDrugAdministration(FDA),UKMedicinesandHealthcareproductsRegulatory
Agency(MHRA),InternationalStandardssuchasICHQ10(InternationalConferenceonHarmonisation),theEuropeanMedicinesAgency(EMA)andtheEuropeanCommissionCEMarking,tolistbutafew!
Thefollowingsectionsprovidefurtherinformationonthemostcommonlyusedstandardsandregulations.
ISO(InternationalOrganizationforStandardization)istheworld’slargestdeveloperofvoluntaryinternationalstandards.Internationalstandardsgivestateoftheartspecificationsforproducts,servicesandgoodpractice,helpingtomakeindustrymoreefficientandeffective.Developedthroughglobalconsensus,theyhelptobreakdownbarrierstointernationaltrade.Itwasfoundedin1947,andsincethenhaspublishedmorethan19,500
internationalstandardscoveringalmostallaspectsoftechnologyandbusiness.Fromfoodsafetytocomputers,andagriculturetohealthcare,ISOinternationalstandardsimpactallofus.
ISOcertificationcanincreasetheeffectivenessofyourexistingmanagementsystemsandallowtheorganisationtobecomemoreefficientinthewayitoperates.
ISO9001istheworld’smostestablishedqualityframework,focusingoneffectivemanagementofbusinessandmeetingcustomers’requirements.Thestandardisusedin175countriesworldwideandhelpsallkindsof
organisationstosucceedthroughimprovedcustomersatisfaction,staffmotivationandcontinuousimprovement.Refertosection5formoredetailsonISO9001.
TheEuropeanUnionMedicalDevicesDirective(MDD93/42/EEC)coversavastrangeofproductsfromfirst-aidbandagesandwalkingframestoCTscannersandimplants.Giventhiswiderange,itisnotjustifiabletosubjectalldevicestothesamelevelsofconformityassessment.Itisimportant,therefore,thatthelevelofcontrolismatched,asfaraspossible,tothedegreeofriskinherentinthedevice.
Thecorelegalframeworkactuallyconsistsof3directives:
• Directive90/385/EECregardingactiveimplantablemedicaldevices
• Directive93/42/EECregardingmedicaldevices
• Directive98/79/ECregardinginvitrodiagnosticmedicaldevices
Attemptswerethereforemadetosetthecontrolsrelativetotheperceivedriskinanefforttomakethemasrelaxedaspossible(toeasethebureaucraticandfinancialburdensonbusiness)andasstrictasnecessary(toensurethatthehealthofthepatientanduserisadequatelyprotected).
Theclassificationofdevicesisthereforearisk-basedsystem.ThecriteriaforclassificationaredescribedinAnnexIXoftheMedicalDevicesDirective.
‘General’medicaldevicesaregroupedintofourclassesasfollows:
• ClassI–generallyregardedaslowrisk
• ClassIIa–generallyregardedasmediumrisk
• ClassIIb–generallyregardedasmediumrisk
• ClassIII–generallyregardedashighrisk
4.2. Quality Standards and Regulations
4.2.1. ISO Quality Management System
4.2.2. ISO 9001
4.2.3. Medical Devices: MDD 93/42/EEC, ISO 13485, IEC 62304, 510(K)
BUILDING • TECHNOLOGY • BUSINESS
9
Good Practice Guide: ElectronicQualityManagementSystemforSME’s
Classificationofamedicaldevicedependsuponaseriesoffactors,including:
• Howlongthedeviceisintendedtobein continuoususe
• Whetherornotthedeviceisinvasiveor surgicallyinvasive
• Whetherthedeviceisimplantableoractive
• Whetherornotthedevicecontainsasubstance,whichinitsownrightisconsideredtobea medicinalsubstanceandhasactionancillaryto thatofthedevice.
Thedifferencebetweeneachclassrestsinthechoiceofconformityassessmentproceduresavailable.Thesection“ConformityassessmentandtheCEMark”intheMedicalDevicesDirectivehasadescriptionofthevariousconformityassessmentroutesavailabletomanufacturers.Itisthestatedintendedpurposeofthedevice,assignedbythemanufacturer,whichdeterminestheclassinwhichadeviceiscategorised.See www.mhra.gov.uk/Howweregulate/Devices/Classification/
Withinthemedicaldevicesector,ISO13485takesthefundamentalrequirementsofISO9001andrelatesittotheproductionofmedicaldevices,in-vitromedicaldevicesandimplantableactivedevices.ForcompaniesmanufacturingdevicestobeCEmarkedforsaleinEurope,implementationofISO13485providesthesimplestsolutiontomeetingtherequirementsoftheEuropeanMedicalDeviceDirectives.
Insomecases,medicaldevicescontainsoftwareandtheInternationalElectrotechnicalCommission(IEC)62304standardspecifiessoftwaredevelopmentlifecyclerequirementsforthedevelopmentofmedicalsoftwareandsoftwarewithinmedicaldevices.
TomarketadeviceintheUSA,theUSAsection510(k)oftheFDAActrequiresdevicemanufacturerstonotifytheFDA,atleast90daysinadvance,oftheirintenttomarketamedicaldevice.
ThisisknownasPreMarketNotification–alsocalledPMNor510(k).ItallowstheFDAtodeterminewhetherthedeviceisequivalenttoadevicealreadyplacedintooneofthethreeclassificationcategories.Thus,“new”devices(notincommercialdistributionpriortoMay28,1976)thathavenotbeenclassifiedcanbeproperlyidentified.
Anydevicethatreachesthemarketviaa510(k)notificationmustbe“substantiallyequivalent”toadeviceonthemarketpriortoMay28,1976(a“predicatedevice”).Ifadevicebeingsubmittedissignificantlydifferent,relativetoapre-1976device,intermsofdesign,material,chemicalcomposition,energysource,manufacturingprocess,orintendeduse,thedevicenominallymustgothroughaPreMarketApproval,orPMA.
Adevicethatreachesthemarketviathe510(k)processisnotconsideredtobe“approved”bytheFDA.Nevertheless,itcanbemarketedandsoldintheUnitedStates.Theyaregenerallyreferredtoas“cleared”or“510(k)cleared”devices.
TheCEmarking,orformerlyECmark,isamandatoryconformitymarkingforcertainproductssoldwithintheEuropeanEconomicArea(EEA)since1985.TheCEmarkingisfoundevenonproductssoldoutsidetheEEA,becausetheyareeitherproductsmanufacturedintheEEAandhavebeenexported,ortheyweremanufacturedinothernationswhichhaveEEAasaprimemarket.ThismakestheCEmarkingrecognizableworldwideeventopeoplewhoarenotfamiliarwiththeEuropeanEconomicArea.
Therearecertainrulesunderlyingtheproceduretoaffixthemarking:
• ProductssubjecttocertainECdirectivesprovidingforCEmarkinghavetobeaffixedwiththeCEmarkingbeforetheycanbeplacedonthemarket.
• Manufacturershavetocheck,ontheirsoleresponsibility,whichEUdirectivestheyneedtoapplyfortheirproducts.
• Theproductmaybeplacedonthemarketonly ifitcomplieswiththeprovisionsofallapplicabledirectivesandiftheconformityassessmentprocedurehasbeencarriedoutaccordingly.
• ThemanufacturerdrawsupanECdeclarationofconformityandaffixestheCEmarkingontheproduct.
• Ifstipulatedinthedirective(s),anauthorisedthirdparty(notifiedbody)mustbeinvolvedintheconformityassessmentprocedure.
• IftheCEmarkingisaffixedonaproduct,itcanbearadditionalmarkingsonlyiftheyareofdifferentsignificance,donotoverlapwiththeCEmarkingandarenotconfusinganddonotimpairthelegibilityandvisibilityoftheCEmarking.
4.2.4. CE Mark
10
Copyright 2014 © Compliance Control Ltd.
Sinceachievingcompliancecanbeverycomplex,CEmarkingconformityassessment,providedbyanotifiedbody,isofgreatimportancethroughouttheentireCEmarkingprocess,fromdesignverificationandsetupofthetechnicalfiletotheECDeclarationofConformity.
ResponsibilityforCEmarkinglieswithwhoeverputstheproductonthemarketintheEU,i.e.anEU-basedmanufacturer,theimporterordistributorofaproductmadeoutsidetheEU,oranEU-basedofficeofanon-EUmanufacturer.
ThemanufacturerofaproductaffixestheCEmarkingtoitbuthastotakecertainobligatorystepsbeforetheproductcanbearCEmarking.Themanufacturermustcarryoutaconformityassessment,setupanelectromagneticcomprehensivenesstechnicalfileandsignanECdeclarationofconformity.Thedocumentationhastobemadeavailabletoauthoritiesonrequest.
Fororganisationsthatwanttoprovetheir‘greencredentials’,ISO14001istheinternationalstandardthathelpsbusinesseswithimplementinganEnvironmentalManagementSystem,includingproducingan environmentalpolicyandobjectives.Thestandardcan
beusedtoimplementanenvironmentalmanagementsystemfromscratchorimproveonanexistingone,whilsttakingaccountofdiversegeographical,culturalandsocialconditionsthatmayexistinbusiness.
ISO17025isthemainstandardusedtoassessthecompetenceoftestingandcalibrationlaboratories.
Thestandarditselfcomprisesfiveelementsthatarescope,normativereferences,termsanddefinitions,managementrequirementsandtechnicalrequirements.ThetwomainsectionsinISO17025aremanagement
requirementsandtechnicalrequirements.Managementrequirementsareprimarilyrelatedtotheoperationandeffectivenessofthequalitymanagementsystemwithinthelaboratory.Technicalrequirementsincludefactorswhichdeterminethecorrectnessandreliabilityofthetestsandcalibrationsperformedinlaboratories.
OHSAS18001isaBritishStandardforoccupationalhealthandsafetymanagementsystems.Itexiststohelpallkindsoforganisationsputinplacedemonstrablysound
occupationalhealthandsafetyperformance.Itiswidelyseenastheworld’smostrecognisedoccupationalhealthandsafetymanagementsystemsstandard.
ISO20000isthefirstinternationalstandardforITservicemanagement.Itwasdevelopedin2005,andrevisedin2011.Itisbasedon,andintendedtosupersede,theearlierBS15000thatwasdevelopedbyBSIGroup.
ISO20000-1:2011(‘part1’)includes“thedesign,transition,deliveryandimprovementofservicesthatfulfilservicerequirementsandprovidevalueforboththecustomerandtheserviceprovider.ThispartofISO20000requiresanintegratedprocessapproachwhentheservice
providerplans,establishes,implements,operates,monitors,review,maintainsandimprovesaservicemanagementsystem(SMS).”
The2011version(ISO20000-1:2011)comprisesthefollowingninesections:scope,normativereferences,termsanddefinitions,servicemanagementsystemgeneralrequirements,designandtransitionofneworchangedservices,servicedeliveryprocesses,relationshipprocesses,resolutionprocessesandcontrolprocesses.
4.2.5. Environmental Standard: ISO 14001
4.2.6. Laboratory Standards: ISO 17025
4.2.7. Occupational Health and Safety Advisory Services, BS OHSAS 18001
4.2.8. IT Service Management: ISO 20000
BUILDING • TECHNOLOGY • BUSINESS
11
Good Practice Guide: ElectronicQualityManagementSystemforSME’s
ISO27001isanInformationSecurityManagementSystem(ISMS)standardpublishedinOctober2005bytheInternationalOrganizationforStandardization(ISO)andtheInternationalElectrotechnicalCommission(IEC).ItsfullnameisISO/IEC27001:2005,InformationTechnology,SecurityTechniques,InformationSecurityManagementSystems,Requirements.Thisstandardwasupdatedon25thSeptember2013andisnowknownasISO/IEC27001:2013.
ISO/IEC27001formallyspecifiesamanagementsystemthatisintendedtobringinformationsecurityunderexplicitmanagementcontrol.Beingaformalspecification
meansthatitmandatesspecificrequirements.Thestandardincludesthefollowing:
• Informationsecurityleadershipandhigh-levelsupportforpolicy
• Planninganinformationsecuritymanagementsystem; risk assessment; risk treatment
• Supportinganinformationsecuritymanagementsystem
• Makinganinformationsecuritymanagementsystem operational.
ISO22301isthebusinesscontinuitystandardformanagementsystems,itsupersedesBS25999whichwastheworld’sfirstBritishStandardforbusinesscontinuitymanagement.
ISO22301:2012specifiesrequirementstoplan,establish,implement,operate,monitor,review,maintainandcontinuallyimproveadocumentedmanagementsystemtoprotectagainst,reducethelikelihoodofoccurrence,preparefor,respondto,andrecoverfromdisruptiveincidentswhentheyarise.
Themoremanagementsystemsanorganisationhasinplace,themorethebusinesscouldpotentiallybenefit.However,managingseveralQualityManagementSystemswithareasofoverlapandduplicationhasoftenbeenconfusingandexpensive.
RecentlytheBritishStandardsInstitutehascreatedPAS99whichisaspecificationforintegratedmanagementsystems.Thistakesthehardworkoutofmanagingmorethanonecertifiedsystematthesametime.PAS99integratedmanagementsystemsallowanorganisationtostreamlinethewayitoperates,aligningallcommonstandardrequirements,andcuttingthecostofseparateauditsand administration.
ThePAS99detailsonesystemthatprovidesonesetofdocumentation,policies,proceduresandprocessesforalloftheirmanagementsystems.ItwasdevelopedusingtheISOguideforwritingmanagementsystemstandardsand typical integrated management systems might includeISO9001QualityManagement,ISO14001EnvironmentalManagement,BSOHSASOccupationalHealthandSafetyManagement,IS0/IEC27001Information
SecurityManagement,ISO/IEC20000ITServiceManagement,ISO22000FoodSafetyManagementandBSISO22301BusinessContinuityManagement,etc.
Anintegratedmanagementsystem,therefore,isbetterforbusinessesasitismuchsimplertomeetallstandardrequirementsusingonesetofpoliciesandprocedures.Multiplesystemscanbeauditedatthesametimeandstaffcanbetrainedtousemorethanonesystematatime–savingmoneyandboostingbothperformanceandefficiency.Communicationalsoimproveswhencompaniesareworkingtowardsacommonsetofobjectives,givingclearerrolesandresponsibilities.
Plus,administrationbecomeseasierwhenallsystemscanbemanagedusingthesameprocesses(andasingleelectronicsystem,seebelow)makingsurethatactionssupportorenhanceeachsystem.Allofthispointstowardcontinualinvestmentandimprovement,whichcangivecustomers,stakeholdersandsuppliersgreaterconfidenceintheorganisation’sabilitytodeliverintegratedandeffectivemanagementsystems.
4.2.9. Information Security Management: ISO 27001
4.2.10. Business Continuity Standard: ISO 22301
4.2.11. Integrated Quality Management System (PAS 99)
12
Copyright 2014 © Compliance Control Ltd.
Theofficialtitleis:“ExpertWorkingGroup(Quality)oftheInternationalConferenceonHarmonisationofTechnicalRequirementsforRegistrationofPharmaceuticalsforHumanUse(ICH)”.
Thisinternationallyharmonisedguidanceisintendedtoassistpharmaceuticalmanufacturersbydescribingamodelforaneffectivequalitymanagementsystemforthepharmaceuticalindustry,referredtoasthepharmaceuticalqualitysystem,whichiscalledtheICHQ10model.
ICHQ10describesonecomprehensivemodelforaneffectivepharmaceuticalqualitysystemthatisbasedonInternationalOrganizationforStandardization(ISO)
qualityconcepts,includesapplicablegoodmanufacturingpractice(GMP)regulations,andcomplementsICH“Q8PharmaceuticalDevelopment”andICH“Q9QualityRiskManagement.”
ICHQ10isamodelforapharmaceuticalqualitysystemthatcanbeimplementedthroughoutthedifferentstagesofaproductlifecycle.MuchofthecontentofICHQ10applicabletomanufacturingsitesiscurrentlyspecifiedbyregionalGMPrequirements.ICHQ10isnotintendedtocreateanynewexpectationsbeyondcurrentregulatoryrequirements.Consequently,thecontentofICHQ10thatisadditionaltocurrentregionalGMPrequirementsis optional.
GoodManufacturingPractices(GMP)arethepracticesrequiredinordertoconformtoguidelineslaiddownbyagencieswhichcontrolauthorisationandlicensingformanufactureandsaleoffood,drugproducts,andactivepharmaceuticalproducts.Theseguidelinesarelaiddownwiththeintentionofprovidingminimumrequirementsthatapharmaceuticalorafoodproductmanufacturermustmeetwhilemanufacturingdrugsorfoodproducts,whichthenassuresthattheproductsmanufactured/producedareofhighqualityanddo notposeanyrisktotheconsumerorpublic.
IntheUnitedKingdom,theMedicinesAct(1968)coversmostaspectsofGMPinwhatiscommonlyreferredtoas“TheOrangeGuide”,whichisnamedsobecauseofthecolourofitscover;itisofficiallyknownasRulesandGuidanceforPharmaceuticalManufacturersandDistributors.
WithintheEuropeanUnion,GMPinspectionsareperformedbyNationalRegulatoryAgencies–e.g.GMPinspectionsareperformedintheUnitedKingdombytheMedicinesandHealthcareproductsRegulatoryAgency(MHRA).
GMPsareenforcedintheUnitedStatesbytheU.S.FoodandDrugAdministration(FDA).Theregulationsusethephrase“currentgoodmanufacturingpractices”(cGMP)todescribetheseguidelines.
Othergoodpracticesystems,alongthesamelinesasGMPexist,andareoftenreferredtoasGxPs:
• GoodLaboratoryPractice(GLP),forlaboratoriesconductingnon-clinicalstudies(toxicologyandpharmacologystudiesinanimals);
• GoodClinicalPractice(GCP),forhospitalsandcliniciansconductingclinicalstudiesonnewdrugsinhumans;
• GoodDistributionPractice(GDP)dealswiththeguidelinesfortheproperdistributionofmedicinalproductsforhumanuse.
AlltheabovefollowasimilarcoreofQualityManagementSystemprocessesbutalsohavekeyfocusedproceduresandprocessesonthedifferingpractice.
4.3. ICH Q10 Pharmaceutical Quality System
4.4. GMP, GxPs
BUILDING • TECHNOLOGY • BUSINESS
14
Copyright 2014 © Compliance Control Ltd.
GoodAutomatedManufacturingPractice(GAMP®)isbothatechnicalsubcommitteeoftheInternationalSocietyforPharmaceuticalEngineering(ISPE)andasetofguidelinesformanufacturersandusersofautomatedsystemsinthepharmaceuticalindustry.Morespecifically,theISPE’sguide:TheGoodAutomatedManufacturingPractice(GAMP®)GuideforValidationofAutomatedSystemsinPharmaceuticalManufacture,describesasetofprinciplesandproceduresthathelpensurethatpharmaceuticalproductshavetherequiredquality.One
ofthecoreprinciplesofGAMPisthatqualitycannotbetestedintoabatchofproductsbutmustbebuiltintoeachstageofthemanufacturingprocess.ThelatestreleaseGAMP®5istitled:AriskbasedapproachtoComputerSystemsValidation.
GAMP®isaguidelinethatdescribeshowtovalidatecomputersystems,i.e.providedocumentedevidencetoprovethatcomputersystemsinthepharmaceuticalindustryworkaccordingtoagreedspecifications.
Let’stakeISO9001asthekeyandcorestartingpointforaQualityManagementSystemwhichfocusesonmeasurement,monitoring,improvementandadequateresourcestoensuretheimprovementsaremade.
ThecoreofaQualityManagementsystemisnormallyaQualityManual.Thisisadocumentcreatedusingastandardwordprocessorandtypicallyrangesfrom5–25pages.Itisreallyahighlevelsummaryofthemanagementsystemthatisbeingadoptedandoftenreferstothehighlevelstandardthatyouareaspiringtoconformto.UsingISO9001asabaseline,thenthiswillalsodetailthemanagementstructureandwhoisresponsibleformanagingthequalitysystem,normallyreferredtoastheQualityManager.
Thelistbelowdetailsthe19coreelementsof9001,mostotherqualitymanagementsystemscovermoreorlessthesameareasthatarenormallyfoundinaqualitymanual.Thequalitymanualistypicallyahighlevelreferencepoint,wheretheactualdetailisthenfoundinfurtherproceduresorStandardOperatingProcedures(SOP’s):
• QualityManual
• ManagementStructure
• Documentation
• RecordsManagement
• Change Control
• CustomerRelationshipManagement
• ProductsandServiceDelivery
• ProductsandServiceDevelopment
• EnvironmentManagement
• HumanResources
• SupplierandOutsourcingManagement
• EquipmentMaintenanceandCalibration
• Purchasing
• MonitoringofCustomerSatisfaction
• InternalAudits
• MonitoringProductionandServiceDelivery
• AnalysisofPerformanceoftheQMS
• CorrectiveActionandPreventativeAction
• ManagementReview
Typically,therearetwokeyaspectstoaquality managementsystem:
Thefirstaspectis:Whatdoesyourbusinessdo,andhowdoesitcarryitoutonaday-to-daybasis?Isitaservice/consultancybusinessdesigninganewproduct?Alaboratorysampletestingfacility?Oramanufacturingfacility?
Eachbusinessisdifferentandthustheprocessesaredocumentedinstandardoperatingprocedures.Theseproceduresdescribeindetailhowyourbusinessfunctionsonaday-to-daybasis.Oncetheprocedureshavebeenwritten,formaltrainingrecordsarerequiredto provideevidencethatthetraininghasbeencarriedoutadequately.Alltheseproceduresneedtoconformtoyourdocumentationstandardsprocedurethathasbeenpreviouslycreated,reviewedandapproved.
Aswellasprocedures,awholeseriesofformsarerequiredtotrackandrecordthedocumentedevidence,inISO9001thisiscalledrecordsmanagement.Externalauditorsmusthave‘documentedevidence’thatactionsandactivitieshavebeencarriedout.
4.5. ISPE GAMP®5
5. Part2:PaperBasedQualityManagementSystems
BUILDING • TECHNOLOGY • BUSINESS
15
Good Practice Guide: ElectronicQualityManagementSystemforSME’s
Thesecondaspectis:Thestandardqualityprocessesthatarerequiredacrossallbusinessesinalldifferentindustrysectors.Typically,theseare:
• DocumentationManagement,ControlandIssue
• RecordsManagement,includingtrainingrecords
• ChangeControlManagement
• MonitoringofCustomerComplaints
• InternalAudits
• NonConformance
• CorrectiveActionandPreventativeAction
Oncetheaboveprocessesareinplaceandthequalitymanualandprocedureshavebeenreviewedandapprovedtheninternalauditingcantakeplace,whichisasystematiccheckofeachpartofthequalitysystemandprocesses.
SettingupaQualityManagementSystemwillrequirenumerousprocedures,forms,recordsandprocesses–addinguptoalotofpaperwork!Inapaperbasedqualitymanagementsystemthefollowingimagescanapply.
Setofringbinders In-traypiledupwithpaperdocumentsandforms
QualityManagerpreparingforanaudit
Organisedfilingcabinet
Figure 5: Example of paper based systems.
MostpaperbasedqualitymanagementsystemsinSMEsuseabaseofelectronicsystems.Acombinationofwordprocessors,spreadsheetsandadhocdatabasesareused,allrunningonaninformalITInfrastructure.Thecorebasedocumentsarestoredondesktops,laptops,servers,etc.Insomecasesthisisinanorganisedfolderstructure,inothercaseslessorganised.Often,thereisnoformalbackupandsystemsecuritystrategyandnoprotectionortraceabilityonwhoedits,updatesanddeletesfilesandotherqualityrecords.
InsomecasestheITdepartmentorjustsomeonewithsomeITskillscanquicklycreateasimpledatabaseapplicationtomanagesomeofthequalityrecordsrequired(asaquickfix).Quickly,however,thisbecomesproblematicastherearethenissuesaboutaccesscontroltothesystem,whomanagesandmaintainsthesystem
andtheinitialshortterm(quickfix)benefitsarequicklylostandovertakenbycomplexITdevelopmentandsupportissues.
Figure6isanexampleofhowadhocspreadsheetsanddatabasescanresultinadiverseand‘unintegrated’system.
Suchanadhocsystemisverydifficulttomaintain,particularlyasacompanygrows,andifinaformallyregulatedindustrysuchasMHRA,FDA,etcthenthefollowingexampleismoreorlessunvalidatable,hencethedataresidingwithinthesystemscannotbeusedasevidenceduringregulatoryinspections.
HenceSMEseitherhaveastandalonepaperbasedsystemorthereareoftentwosystemsrunninginparallel;asimplepaperbasedsystemandtheadhoc,hybrid,unvalidatablesystem.
5.1. Managing Paper Based Quality Management Systems
16
Copyright 2014 © Compliance Control Ltd.
• TheuseofKeyPerformanceIndicators(KPIs)toprovidevisibilityandtodemonstratethelevelofqualityofanorganisationisdifficultusingapaperbasedsystem.ElectronicQualityManagementSystemsprovidevisibleKPIstomanagement.Staffusinginformationmanagementsystemstohelpfollowqualityprocessesandprocedurescanhelptoimprovevisibilityandlevelsofquality.
• Searchingfordocumentsandformsisimpracticalwithpaperonlybasedsystems.
• Documentsandformssentroundforreviewandapprovalarenottrackable.Oftendocumentscanbehiddeninin-trays(Figure5).
WhilstinsomecasestheQualityAdministratororDocumentandRecordsAdministratormaybeextremelyefficientandwellorganised,itisstillpotentiallydifficulttofinddocumentsandformsandtosearchforinformationwithindocumentsandforms.
Inasmallorganisation,manyringbindersareoftenfoundwiththelatestversionofstandardoperatingprocedures.Onesmallorganisationoflessthan100
peoplehad30RingBindersspreadaroundindifferentlocations.Theadministrativeburdentookatleast2daysamonthtokeepthesebindersuptodatebyaddinginnewandupdatedprocedures,andremovingredundantprocedures.Notonlywasthiscostingtimeandmoneyforadministrationbutalsothecostofprintingandpaper.Italsoleadstounfortunateerrors,asmanagingsuchasystemispronetohumanerror.
5.2. Some Key Problems with paper based Quality Management Systems
Figure 6: Example of ad hoc, hybrid, unvalidatable system.
DisparateSystem
Excel Spreadsheets
Quality Management System
Issue Tracking System
ProjectDocumentation
Training Records
ChangeControlSystem
✔✘
BUILDING • TECHNOLOGY • BUSINESS
17
Good Practice Guide: ElectronicQualityManagementSystemforSME’s
• Asbusinessesgrowitisincreasinglydifficulttomanagethenumerousspreadsheetsandadhocdatabasesthatarecreatedtomanagequalitydocuments,processesandrecords.
• ForclientswithFDA,MHRAandothersimilarregulatoryrequirementsitisvirtuallyimpossibletovalidateanadhoc,bespokeITsystemusedtostoreQualityManagementSystemsdocumentation.
• ITInfrastructureandNetwork(andformalQualification)isvitaltoensuregoodaccessandsecurityandthecostsassociatedwiththisareburdensomeforsmallbusinesses.
• Inmanycasespaperbasedsystemscannotbemanagedandcontrolledwellandunlessthereistrueoverallvisibilityofallqualityrecordsanddatathenanorganisationcouldwellhaveseriousqualityissues.ThisisoftencalledtheTipoftheIceberg(Figure7).Whilstmaybe10%ofthequalityissuesarevisible(abovethewater),90%ofthequalityissuesareinvisible(underwaterinthehiddenpaperchase).
Figure 7: Tip of the Iceberg.
Whilethegeneralprinciplesofqualitymanagementhaveremainedconsistentformanyyears,theITandelectronicsystemsandsolutionsusedtoensuretheproductionanddeliveryofhighqualityproductsandprocessesacrossthevaluechainhavechangeddrastically.
Companiesinitiallydevelopedspreadsheetsandadhocdatabasemanagementsystems,whichwereusedtomanuallymonitorandanalysequalitydata.Withdevelopmentsintechnology,therewasamovementtowardcompanieseitherimplementingpointqualitysolutions(manyofthemhomegrown)orqualityspecificmodulesinERPsystemstomanagequality.Inbothcases,thevastmajorityofcompaniesfailedtomeetthebusinessandtechnicalrequirementsofglobalmanufacturingcompanieswithrespecttoaQualitySolution.
Asaresult,manyorganisationsnowhaveadisjointed,broadsetofsystemsthatdon’teasilycommunicatewithoneanother.Improvementswiththesesystemsareoftenlocalised,lackingtheglobalvisibilityneededtotrulymanagequality.
Withtheneedinthemarket,anewsoftwarecategoryhasemerged:ElectronicQualityManagementSystems(EQMS).(InsomecasesEQMScanalsostandforEnterpriseQualityManagementSystems).
Inessence,anEQMSisasoftwaresolutionspecificallydesignedtomanageQualityProcesses,Documents,and Data.
6. Part3:ElectronicQualityManagementSystems(EQMS)6.1. What is an Electronic Quality Management System?
ADocumentManagementSystem(DMS)isacomputersystem(orsetofcomputerprogrammes)usedtotrackandstoreelectronicdocuments.Itisusuallyalsocapableofkeepingtrackofthedifferentversionsmodifiedby
differentusers.Today,mostofthesesystemsarereferredtoasanElectronicDocumentManagementSystem.AnEDMSisacorepartofanElectronicQualityManagementSystem.
6.1.1. What is an EDMS?
18
Copyright 2014 © Compliance Control Ltd.
InsomecasesanEDMScanbejustafolderstructureorrepositoryfordocuments.Inthiscase,documentsaredraggedanddroppedintofolderstructuresthathavesome simple organised hierarchy. In this case there are oftenintelligentsearchenginesthatcanaccessthecontentofthedocumentandthedocumentproperties.ThisisoftenreferredtoasUnstructuredDocuments.
However,itisalsopossiblewhenaddingdocumentstoanelectronicsystemtoaddadditionaldatafieldsaspartofthedocument.ThisisoftencalledStructuredDocuments,orMetadata.Additionaldatasuchasdocumentowner,reviewerandapprovercanbeadded,andelectronicsignaturerecords,alongwithmanyadditionaldatafieldssuchasrequiredbydate,reviewbydate,documentexpirydate,documentversionnumber,documentreferencenumber,etc.
WhenselectinganEDMSitisimportanttoensurethatthereistheabilitytoaddstructureddata,sothatmetricsandadashboardcanbemadeavailableshowingtrendinginformationandprovidingtheabilityforanalert/trafficlightsystemtomanageandmonitordocumentstatus.
Inasimilarway,itisimportanttoensurethatthereissufficientcapabilityoftheEQMStoensurethatdatafieldscanbeaddedtoqualitymanagementrecords,suchasdataforCAPA,CustomerComplaints,TrainingRecords,ChangeControl,Audits,etc.Ifthisdataisstoredinastructuredwaythen,asabove,theinformationcanbetrendedandmadevisibleviaasimpledashboard.(Currentsimplepaperbasedsystems,withaseriesofspreadsheetsinusetomanagethisaspectofqualityandprovidesimplevisibilityisdifficult,timeconsumingandnotavalidatableoption.)
6.1.2. Structured and Unstructured Documents and Data
TherearenorealregulationsthatneedtobeappliedtothesetupandconfigurationofarelativelygenericuserofanElectronicQualityManagementSystem,suchassetupandconfigurationforISO9001or13485.However,ifanindependentauditorispresentedwithevidenceofconformance,andthisisonlyfromtheEQMSITsystem,i.e.therearenopaperprintouts,thentheauditormayrequestsomeformofevidencethattheITsystemhasbeensetupandconfiguredcorrectly.
However,withrespecttoorganisationsthatcomplytoGMP,evidenceofComputerSystemValidationisrequired.
ThemainUSFDAregulationtocontrolElectronicRecordsis21CFRPart11.ThisregulationissimilartotheEUEudralex,rulesGoverningMedicinalProductsintheEuropeanUnion,Volume4,GoodManufacturingPractice,MedicinalProductsforHumanandVeterinaryUse,Annex11:ComputerisedSystems.
TheEUannexappliestoallformsofcomputerisedsystemsusedaspartofGMPregulatedactivities.Itstates:“Theapplicationshouldbevalidated;ITinfrastructureshouldbequalified”andwhereacomputerisedsystemreplacesamanualoperation,“thereshouldbenoresultantdecreaseinproductquality,processcontrolorqualityassurance.Thereshouldbenoincreaseintheoverallriskoftheprocess”.
Thereisoftenconfusionregardingthistopicandtherearenumerousregulationsfromwideindustrysectors.IfweconsiderorganisationsthatneedtocomplywithGMP,thentheEUEudralexVolume4,Annex11,andUSFDA21CFRPart11,areagainthekeyregulationsinthissector.Conformancetotheseregulations–asinmostcases,theyarequitestringentrulesandregulations–wouldensurethatyouarecompliantwithmostotherindustryregulations.
WithrespecttoAnnex11,putverysimply,ifyouareusinganelectronicsystemtostorequalitycriticalrecords,
inparticularcriticalproductorpatientdata,thenyoucanusesuchasystemtoprovideevidenceofyourQualityManagementSystem,onlyiftheelectronicsystemhasbeenvalidatedanditisrunningonaformallyqualifiedITandNetworkInfrastructure.
Inessence,andverysimply,onceloggedintoasystem,whenaskedtoapprovearecordbysigningelectronically,e.g.adocument,CAPA,outstandingauditaction,etc.theusersimplyhastore-entertheirusernameandpasswordandareason/objective/capacityforsigning.
6.2. What regulations apply to an EQMS?
6.3. Electronic Records and Electronic Signatures
BUILDING • TECHNOLOGY • BUSINESS
19
Good Practice Guide: ElectronicQualityManagementSystemforSME’s
TherearemanyadditionalsoftwaresystemssuchasEchoSign,Cosign,Docu-Sign,etcthatallowausertoestablishasecuresignaturesystemandtherearemany
othertypesofsystemsusingswipecards,biometrics,finger/thumbprintsthatarefartoonumerousandcoveramuchwidertopicthanrequiredinthisdocument.
Thefollowingsectionexplainswhy,insomecases,EQMSsystemsmustbevalidated,whatvalidationmeans,andwhattheimpactisontimescalesandcosts.
Inmanycases,start-upcompaniesthatarestillinanR&Dphase,orperhapscreatingamedicaldevicerequiringaCEmark,donotbylawrequireanElectronicDocumentManagementSystemtobevalidated.However,intermsofITsoftwareprocurementitissensibletosaythatvalidatingsuchasystemisgoodpractice.
However,ifyourorganisationisGMP,i.e.manufacturingproductsthatarepartofclinicaltrialsorbeingmanufacturedforenduserconsumption,i.e.patients,thenEudralex,TheRulesGoverningMedicinalProductsintheEuropeanUnion,Volume4,GoodManufacturingPractice,MedicinalProductsforHumanandVeterinaryUse,Annex11:ComputerisedSystems,comesintoforce(21CFRPart11,ifexportingtotheUSA).
Annex11appliestoallformsofcomputerisedsystemsusedaspartofGMPregulatedactivities.
Thefollowingareextractstakenfromtheregulation
• Acomputerisedsystemisasetofsoftwareandhardwarecomponentswhichtogetherfulfilcertainfunctionalities.
• Theapplicationshouldbevalidated;ITinfrastructureshouldbequalified.
• Whereacomputerisedsystemreplacesamanualoperation,thereshouldbenoresultantdecreaseinproductquality,processcontrolorqualityassurance.Thereshouldbenoincreaseintheoverallriskofthe process.
6.4. Does an EQMS need to be Validated, and if so, how?
TheFDAGuidelinesonGeneralPrinciplesofProcessValidation,May1987,definesvalidationas:
“Establishingdocumentedevidencewhichprovidesahighdegreeofassurancethataspecificprocesswillconsistentlyproduceaproductmeetingitspre-determinedspecificationsandqualityattributes.”
Inthepharmaceutical,medicaldevice,andotherregulatedindustriessuchasfood,blood,tissueandclinicaltrials,validationisthedocumentedactofdemonstratingthataprocedure,process,andactivitywillconsistentlymeettheexpectedresults.Itoftenincludesthequalificationofsystemsandequipment.Itisarequirementforgoodmanufacturingpracticeandotherregulatoryrequirements.
Sinceawidevarietyofprocedures,processes,andactivitiesneedtobevalidated,thefieldofvalidationisdividedintoanumberofsubsectionsincludingcleaningvalidation,processvalidation,analyticalmethodvalidation,equipment,andcomputersystemvalidation(CSV,GAMP®5).
Theactivityofqualifyingsystemsandequipmentisdividedintoanumberofsubsectionsincludingthefollowing:
• Validationplanning • Designqualification(DQ) • Installationqualification(IQ) • Operationalqualification(OQ) • Performancequalification(PQ)
• Validationreporting
TheabovethereforeappliestothevalidationofanElectronicQualityManagementSystem.TheISPEGAMP®5providesexcellentguidanceonhowtovalidatesoftwaresystemsandprovidesthefollowingtableofsoftwarecategoriestohelp,Figure8.
MostoftheEQMSsolutionsavailabletodayarein factGAMPcategory4or5,i.e.highlyconfigurable,customisable,orbespoke.ThemajorityoftheTier1vendorsprovidesuchsoftwaresothatitcanmapontotypicallylargerandglobalpharmaceutical,medicaldeviceandsimilarorganisations.InGMPorganisationsthesesystemsmustbevalidated,andGAMPcategory4and5systemstakemuchlongerandaremoreexpensivetovalidate.
6.4.1. What is Validation and What is Computer Systems Validation?
20
Copyright 2014 © Compliance Control Ltd.
Figure 8: GAMP® software categories.
Category GAMP®51 Infrastructure Software (OS, middleware, etc)2 No longer used3 Non-configured Software4 Configured Software5 Custom Software
ImplementinganEQMSbecomesaprojectinitself,andfollowingtheGAMP®guidelinesneedsafullvalidationlifecycle,startingwithavalidationplan,userrequirements
specification,functionaldesign/configurationdesign,severallayersoftestspecificationsandprotocols,etc.
WithreferencetoFigure1itisnosurprisethereforethattheperceptionofimplementinganEQMSistimeconsuming,andexpensive,particularlyifithastobeformallyvalidated.
SMEs,untilrecently,havenotbeenawarethatGAMPCategory3ElectronicQualityManagementSystemsarenowavailable,andasthereisverylittleconfigurationthecostsarealsomuchsmallerandeasilyaffordablefortheSMEmarket.
Figure 9: Software Categories & Validation Effort.
InfrastructureSoftware
(Middleware, OS, etc)
Non-configuredsoftware
Configuredsoftware
Customsoftware
Also,thereisthecomplicationofon-premisesolutions(i.e.wheretheapplicationisrunningonaservermanagedbytheuser,ontheuser’ssite).
FormostSMEs,managinganinternalITinfrastructurehasmanypotentialproblems.(SeeFigure10).Thisisnotcosteffectiveandthusnormallyrulesouton-premisesolutionsforanEQMS.
ForGMPorganisations,thereisalsotheregulationthattheunderlyingITinfrastructureandnetworkmustbequalified.
AspartoftheimprovementoverthepastfewyearsinITNetworks,Communications,Security,Speed,Reliability,etcwecanthereforemoveourfocusto‘cloud’basedsolutions,orpreferablySoftwareasaService(SaaS)andtheadvantagesandopportunitiesthatthisoffersSMEorganisationsforsystemssuchasanEQMS.SeeSection6.5.
Asdetailedabove,Eudralex,Volume4,Annex11statesthatacomputerisedsystemwhichfulfilscertainfunctionalityusedaspartofaGMPregulatedenvironmentmustbevalidatedandtheITInfrastructureshouldbequalified.
Thisappliestoon-premisesolutions,i.e.thehardwareandserversarestoredandmaintainedatyourfacility.
SoftwareasaServicesolutionsforanEQMSensuresthatsuchITInfrastructureandNetworkisalreadyfullyqualifiedandthiscomplieswiththeregulatoryrequirements.
• ITSupportStaff
• ITInfrastructure
• Backup
• Security,AccessandData
• Air Conditioning
• FireWalls
• Fire
• DisasterRecovery
• Maintenance
• NetworkPerformance
• Qualified(InstallationQualified)
6.4.2. QualificationofNetworkandITInfrastructure
BUILDING • TECHNOLOGY • BUSINESS
21
Good Practice Guide: ElectronicQualityManagementSystemforSME’s
Figure 10: Typical internal IT and Infrastructure Issues.
22
Copyright 2014 © Compliance Control Ltd.
Figure11isatypicaldatacentrethatshowshowtheITmarketischangingandthaton-premisesoftwareisnowbeingreplacedbycloudcomputing.
EvenifanSMEwishedtopurchaseanElectronicQualityManagementSystem,forthereasonsdetailedaboveitisjusttooexpensivewithrespecttocomputersystemsvalidationandtomanageandcontrolITinfrastructure.Anon-premisesolutionisnolongeraffordable,practicalorvalidatable.RefertoFigure12.
DatacentresandSoftwareasaService,withdatacentresconformingtoISO27001InformationSecurityManagementSystemandISO22301theBusinessContinuityStandardarenowavailableandaffordableforSMEs.
Thus,withtherecentconsolidationofcloudcomputingandtheincreasingspeedandsecurityoftheinternetandmobileconnectivity,i.e.4G,thishasreallyensuredthatSMEscannowstarttoreallyadopt‘Cloud’basedsoftware,ormoreappropriatelyreferredtoasSoftwareasaService,asthesesystemscanbeformallyvalidated.
6.5. Software as a Service (Cloud Computing)
Figure 11: Typical Data Centre with Qualified Infrastructure and Network.
BUILDING • TECHNOLOGY • BUSINESS
23
Good Practice Guide: ElectronicQualityManagementSystemforSME’s
Figure 12: Impact of Cloud Computing on Enterprise IT Spending.
2008
Extrapolation based on time-series analysis, assumingthat factors promoting cloud computing through 2008–13
( ) remain constant beyond 2013 until 2020 ( )
0.36% 0.74% 1.25% 2.34%4.30%
7.89%
10.70%
14.49%
4%
8%
12%
Perc
ent o
f on-
prem
ise s
pend
ing
repl
aced
by
cloud
com
putin
g
Percent of On-Premise Spending Replaced by Cloud Computing
The cloud computing market is forecast to grow at a rate of 36.6 percent during 2008–13 to $55.2 billion in 2013. It will probably reduce overall technology spending by $30–39.4 billion in 2013, replacing 14.5 percent of global on-premise spending in 2020.Source: Research and Innovation Estimates
Enterprise spending for on-premise solutions will fall, as cloud computing reduces the need for licenses, hardware and software.
Cloud Computing Spending Forecast ($ Billion)
16%
0%
2010 2012 2014 2016 2018 2020
0%10.9
1722.5
32.4
43.1
61.2
87.2
14.420.6
27.3
38.8
55.240%
60%
20%
80%
100%
2008 2009 2010 2011 2012 2013
Adjusted cloud computingspending forecast
Forecasted cloud computingspend – secondary sources
Clo
ud c
ompu
ting
spen
ding
($ B
illion
)
33
66
22
4343
22
33
1414
2222
1
7
1
7171171
24
Copyright 2014 © Compliance Control Ltd.
WhenmovingtoanElectronicQualityManagementSystemthereareseveralchoiceswithrespecttodataand data migration.
Ifthecompanyisrelativelynew,astart-uporhasasmallsetofexistingqualitydataitmightbesensiblejusttostarttobuildupthenewsystemwithaseriesofmanualdataentrytasks.
Ifthecompanyalreadyhasanestablishedormaturehybrid/paperbasedsystemthenoftenthereisasignificantamountofdatatobeentered,ormigrated,intothenewelectronicsystem
Examplesofdatatobemigrated:
• Qualitymanual,standardoperatingprocedures,workinstructions,templates
• OngoingandclosedCorrectiveAndPreventativeActions(CAPA)
• Ongoingandclosedaudits
• Ongoing and closed change controls
• Trainingrecords
• Equipmentcalibration,maintenance,serviceandcleaning records
• OngoingandclosedNonConformances
• OngoingandclosedCustomerComplaints
Inmostscenariositissensibletohaveadatamigrationplan.ThisshouldbeagreedwithyourITSystemsIntegrationpartnerorsupplieroftheEQMSsoftwareandshouldcoversuchthingsas:
• Quantityandsizeofdata
• Data cleansing
• Structureofdata
• Translationfromlegacyformattothenewsystemformats/metadataetc.
• Useofautomatictools/scripts
• Periodsofparallelrunning/cutover
• Validationofthemigrateddataifregulationsstate thisisarequirement,e.g.Annex11.
6.6. Migrating Existing Data into an EQMS?
Manyoftheabovesectionsrefertoinformationanddata.Thisinformationinapaperbasedsystemisdifficulttocollateandmakevisibletomanagement.
Often,spreadsheetsoradhocdatabasesareusedtostoreandcollatethisinformation.ReferringtotheSection6.4.1inaGMPregulatedenvironmentthesespreadsheetsmustalsobevalidated.
Figure13isatypicalexampleofhowQualityandCompliancemetricsandmanagementinformationcannowbemadeavailableviaanonlineelectronicsystem.NolongerareQualityissues‘below’theiceberg,orsweptunderthecarpet.Visibletrafficlightsystemsareavailabletoshowtomanagementareasofconcern.
6.6.1. Quality Metrics and Compliance Dashboard
Figure 13: Typical Quality and Compliance Traffic light dashboard.
BUILDING • TECHNOLOGY • BUSINESS
26
Copyright 2014 © Compliance Control Ltd.
IfyourorganisationisstartingtocreateaQualityManagementSystemtherearesoftwareproducts availableinthemarketthatcannowhelptospeed uptheprocessatanaffordableprice.
NotonlywilltheinitialmanagementofQualityandCompliancebecomemoreeffective,theintroductionofanElectronicQualityManagementSystematearlyphasesinthegrowthofabusinesswillbecomeevenmoreeffectiveasorganisationsgrow.
IfyourorganisationalreadyhasaQualityManagementSystemandwouldliketomigratetoanElectronicQualityManagementSystemthenbasedontheabovesectionsitisnowachievableastherearesystemsinthemarketthatareaffordableandcanbeupandrunningwithinhours,andvalidatedtomeetMHRA/FDArequirementswithindays!
YourorganisationdoesnotneedtohaveacomplexinternalITinfrastructureandmosttypicalconcernsregarding compliance to national and international regulationswithrespecttoElectronicRecordsandElectronicSignatureshavenowbeentakenawayandwiththeavailabilityofSoftwareasaServiceuserlicencescanbepurchasedfromaslittleasoneuser.
IfyouareinvolvedinQuality,andinparticularifyouaretheQualityDirector,QualityManager,RegulatoryDirector,OperationsDirector,etcyoucannowsuggesttotheChiefExecutive,FinanceDirector,etcthatyouwanttoimprovethemanagementandmaintenanceofyourQualitySystems,thusenhancingyouroverallbusinesscredentials,byintroducinganElectronicQualityManagementSystem.Whendiscussingtheprice,itisnowpossibletostatethatitismoreorlessthesamepricethathasbeenpaidfortheorganisation’saccountingandfinancepackage,whereitisseenthatanelectronicsystemisindustrystandardandmandatory.
ThefollowingfunctionalityandreasonsbelownowdetailwhyanElectronicQualityManagementSystemisaffordableandavailableforSMEs,andinparticularSMEsinaregulatedenvironment.
• DocumentManagementincludingElectronicRecordsandSignatures
• Qualityprocessesincluding:CAPA,Non-Conformance,Complaints,Audits,ChangeControl,TrainingRecords,EquipmentManagement,AuditTrail,Alerts,Metricsanddashboard.
• SoftwareasaService(costeffectiveuserbasedpricingwithaslittleasoneuser)
• DatainasecureDataCentrewithISO9001, ISO27001andISO22301
• NoHardwareorInfrastructurecosts,thusno capitaloutlay
• SetupandConfiguredwithinaday
• Fullyvalidatedwithin5days(basedonGAMPCategory3system,withminimalconfiguration)
FinalConclusion:IfwereferbacktotheExecutivesummaryandthestartingpointofthisGoodPracticeGuide.
“MostSMEsuseSageAccountingorQuickBookstomanagetheirday-to-dayaccountingandfinancialneedsandmostuseaCustomerRelationshipManagement(CRM)softwareproducttomanagetheirdaytodaysalesandcustomers.Whydon’ttheycreatetheirownsoftwareorusebespokespreadsheetsanddatabases?Becauseinessenceitisa‘no-brainer’nottouseoneofthesesystems,astheycanbeprovided‘out-of-the-box’andsetupandbeconfiguredandinusewithinhoursatanaffordableprice”.
ThisGoodPracticeGuidedemonstrateshowtheuseofSoftwareasaServicehasprovidedfunctionallyrichElectronicQualityManagementSystemsatanaffordablepriceforSMEs.
TheuseofElectronicQualityManagementSystemsinSmalltoMediumcompaniestomanageQualityandCompliance,shouldbeanalogoustousinganElectronicFinancialSystem,suchasSageforAccountingandFinance…UsinganEQMSshouldbea‘no-brainer’.
7. Conclusions
BUILDING • TECHNOLOGY • BUSINESS
27
Good Practice Guide: ElectronicQualityManagementSystemforSME’s
MHRA–http://www.mhra.gov.uk/
FDA–http://www.fda.gov/
ISO–http://www.iso.org/iso/home/standards.htm
ISPEGAMP®–http://www.ispe.org/
ICH–http://www.ich.org/
CEMark–https://www.gov.uk/ce-marking
Annex11–http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-2011_en.pdf
For further information please contactEmail:[email protected] Call:+44(0)1606871113orvisit www.compliance-control.com
8. Acknowledgements,ReferencesandSources