United Kingdom Science Park Association Good Practice Guide Electronic Quality Management System for SMEs

Transcription

1 United Kingdom Science Park Association Good Practice Guide Electronic Quality Management System for SMEs METRICS AUDITS EQUIPMENT CAPA TRAINING CONFORMANCE NON- DOCUMENTS CHANGE CONTROL PROCEDURES COMPLAINTS BUILDING TECHNOLOGY BUSINESS

2 2 Table of Contents 1. Foreword 3 2. Introduction 3 3. Executive Summary 4 4. Part 1: What is a Quality Management System? Definitions of Quality and Quality Statements Quality Standards and Regulations ISO Quality Management System ISO Medical Devices: MDD 93/42/EEC, ISO 13485, IEC 62304, 510(K) CE MARK Environmental Standard: ISO Laboratory Standards: ISO Occupational Health and Safety Advisory Services, BS OHSAS IT Service Management: ISO Information Security Management: ISO Business Continuity Standard: ISO Integrated Quality Management System (PAS 99) ICH Q10 Pharmaceutical Quality System GMP, GxP s ISPE GAMP Part 2: Paper Based Quality Management Systems Managing a Paper Based Quality Management Systems Some Key Problems with paper based Quality Management Systems Part 3: Electronic Quality Management Systems (EQMS) What is an Electronic Quality Management System? What is an EDMS? Structured and Unstructured Documents and Data What regulations apply to an EQMS? Electronic Records and Electronic Signatures Does an EQMS need to be Validated and if so how? What is Validation and What is Computer Systems Validation? Qualification of Network and IT Infrastructure Software as a Service (Cloud Computing) Migrating Existing Data into an EQMS? Quality Metrics and Compliance Dashboard Conclusions Acknowledgements, References and Sources 27 BUILDING TECHNOLOGY BUSINESS Copyright 2014 Compliance Control Ltd.

3 3 1. Foreword This UKSPA good practice guide has been produced by Compliance Control, one of our Business Affiliates, and is freely available to all of our science park, research park, technology park and technology incubator management teams and their business support advisors. It is designed to help companies implement a new or improve their existing quality management system, and so will also be a significant resource for owner-managers, quality managers, ICT and operations staff at many of the companies residing in our member locations in particular those SMEs whose businesses are regulated by external bodies. We have aimed to produce a guide sufficiently flexible to be relevant and useful to a wide range of sectors and size of firm, but also to companies that have paper-based document quality management systems who wish to migrate to an electronically based system. I trust readers will find this good practice guide a stimulating document that will be a useful guide to you and your business as you seek to improve your quality management systems. Paul Wright UKSPA Chief Executive This good practice guide is designed to help companies implement a new, or improve their existing, quality management system 2. Introduction The first part of this good practice guide focuses on some definitions and explanations on understanding what a quality management system is and some commonly used regulations and standards. It aims to take away some of the myths and misconceptions regarding electronic records and electronic signatures (ERES), by simplifying the regulations and providing an explanation of how SMEs can use electronic systems to manage quality. The second part explains how to establish a simple paper based quality management system. The third part explains how even the smallest of companies can now use an affordable electronic quality management system to operate a quality system. Who Should Read This Guide This guide is targeted at science park, research park, technology park and technology incubator management teams and their business support advisors including the owners and Quality Managers, Operations and ICT staff of tenant companies whose businesses are regulated by external organisations, eg. ISO, MHRA, FDA, EU, etc. This document has been written by David Forrest, Chief Executive of Compliance Control Ltd and reviewed by Bob Crawshaw, Director and Principal Consultant, Compliance Control Ltd. About Compliance Control Limited Compliance Control Ltd was founded in 2005 and is a leading specialist in regulatory compliance, quality and validation services for a broad spectrum of industries. Recent funding from the Technology Strategy Board has enabled research and development of an Electronic Document and Quality Management System targeted specifically at small growing companies that need to be regulated, who traditionally would not use an electronic IT system for their Quality and Compliance Management System. For further information refer to Good Practice Guide: Electronic Quality Management System for SME s

4 4 3. Executive Summary Most SMEs use Sage Accounting or QuickBooks to manage their day-to-day accounting and financial needs, and most use a Customer Relationship Management (CRM) software product to manage their day-to-day sales and customers. Why don t they create their own software or use bespoke spreadsheets and databases? Because, in essence, it is a no-brainer not to use one of these systems as they can be provided out-of-the-box set up, configured and in use within hours at an affordable price. A survey carried out by Manchester University Business School in 2012 asked the question: How much does it cost, and how long does it take to implement a financial system, a Sales/CRM system, and an Electronic Quality Management System (EQMS)? The survey was based on approximately 300 small to medium companies with several larger organisations also responding. Figure 1: Durations for implementing finance, sales and quality management software PERCENTAGE OF RESPONDANTS 40% 30% 33% 30% 33% 27% 27% 23% 25% 20% 21% 18% 18% 15% 13% 10% 7% 7% 6% 0% 1-2 Weeks 1-2 Months 3-6 Months 7-11 Months 12 Months & Above FINANCE SALES QUALITY Conclusions: 60% believed a Finance system could be set up and implemented between 1 week to 2 months. 50% believed a Sales/CRM system could be set up and implemented between 1 week to 2 months. 60% believed an EQMS system could be set up and implemented between 1 month to 6 months. 18% believed an EQMS system could be set up and implemented between 7 month to 11 months. Figure 2: Cost of implementing finance, sales and quality management software PERCENTAGE OF RESPONDANTS 80% 60% 67% 69% 55% 40% 20% 25% 16% 7% 11% 7% 10% 8% 0% 4% 5% 7% 10% 1k- 10k 11k- 25k 26k- 50k 51k- 100k 101k & above FINANCE SALES QUALITY Conclusions: 55% believed a finance system could be set up and implemented costing between 1 10k. 67% believed a Sales/CRM system could be set up and implemented costing between 1 10k. 0% believed an EQMS system could be set up and implemented costing between 1 10k. 80% believed an EQMS system could be set up and implemented costing between 11 50k. The above survey was focused mainly on SME clients, as it is widely known that most large clients already use an Electronic Quality Management System to manage their day-to-day quality and compliance requirements because they can afford the price tag of tier one Electronic Quality Management System software products. These tier one products, on the whole, do not come out-of-the-box and therefore take time, resources and money to set up, configure and customise (and validate), and thus are typically affordable only by larger organisations. BUILDING TECHNOLOGY BUSINESS Copyright 2014 Compliance Control Ltd.

5 5 For smaller organisations, there are also concerns over the use of Electronic Records and Electronic Signatures, and in some cases there are issues of Computer System Validation of the software. This good practice guide is therefore targeted mainly at the SME market space as, based on the above evidence in particular timescale and cost most SMEs tend to have a manual paper based system, a hybrid approach, or an unintegrated IT systems approach to quality management, as they perceive they cannot afford the time or money to implement an Electronic Quality Management System. This good practice guide aims to show SMEs how they can now use an Electronic Quality Management System for their regulatory, quality and compliance processes at an affordable price, based on latest advances of Software and IT Infrastructure. 4. Part 1: What is a Quality Management System? A Quality Management System (QMS) is a collection of business processes focused on achieving a quality policy and quality objectives i.e. what your customer wants and needs. (Chris Anderson. What is a Quality Management System? Bizmanualz, Nov 18, 2013.) It can be expressed as the organisational structure, policies, procedures, processes and resources needed to implement quality management. Early systems emphasised predictable outcomes of an industrial production line, using simple statistics and random sampling. By the 20th century, labour inputs were typically the most costly inputs, so focus shifted to team cooperation and dynamics, especially the early signalling of problems via a continuous improvement cycle. In the 21st century, QMS has tended to converge with sustainability and transparency initiatives, as both investor and customer satisfaction and perceived quality is increasingly tied to these factors. Of all QMS regimes, the ISO 9000 family of standards is probably the most widely implemented worldwide. One of the most common tools for working on quality in a long term cyclical and sustainable manner is the Deming circle (PDCA). The Deming circle was developed by the American statistician William Edwards Deming ( ) who worked mainly in Japan. The methodology can be found in most ISO standards: ISO 9001, ISO 17025, etc. The four elements of the Deming circle are: Plan what you will do and how you will do it Do what you have planned Check the results Act or react to things that go wrong and investigate how to improve (further) Figure 3: Deming circle (PDCA) Plan what you will do and how you will do it Do what you have planned Act or react to things that go wrong and investigate how to improve (further) Check the results Good Practice Guide: Electronic Quality Management System for SME s

6 6 Figure 4: Typical ISO 9001 Quality Circle. Resource Measure Statement of Purpose Sales Development Support Production Improve Core Control Procedures Monitor 4.1. Definitions of Quality and Quality Statements The following are some extracts and examples from the many differing definitions of quality: Manufacturing based definitions are concerned primarily with engineering and manufacturing practices and use the universal definition of conformance to requirements. Requirements, Specifications, and Designs are already established, and during manufacturing any deviation implies a reduction in quality. The concept applies to services as well as products. Excellence in quality is not necessarily in the eye of the beholder but rather in the standards set by the organisation. Manufacturing: a measure of excellence or a state of being free from defects, deficiencies, and significant variations, brought about by the strict and consistent adherence to measureable and verifiable standards to achieve uniformity of output that satisfies specific customer or user requirements. Put simply quality is the level of adherence to good procedures. If a simple set of procedures can be put in place, and staff trained accordingly, then the defined processes should produce quality products and/or services. Failure to create appropriate procedures, lack of initial, and ongoing training, and poor internal auditing processes will eventually lead to poor quality products and services. Where an organisation produces products or services that must comply with regulations, the level of quality of the organisation is defined by the level of procedures in place to ensure conformance to the set of regulations that must be followed. Adequate staff training regarding the operational procedures, combined with good internal auditing, and a simple and effective CAPA (corrective action, preventive action) system, will ensure compliance. A simple non-conformance, deviation management system process, including investigations from customer complaints should drive root cause analysis investigations, thus improving overall quality. BUILDING TECHNOLOGY BUSINESS Copyright 2014 Compliance Control Ltd.

7

8 Quality Standards and Regulations There are many standards and regulations ranging from ISO (International Organization for Standardization) such as ISO 9001, 14001, 13485, 17025, (Occupational Health and Safety Advisory Services, OHSAS), 20000, 27000, and the other industry and country regulatory bodies, such as the US Food and Drug Administration (FDA), UK Medicines and Healthcare products Regulatory Agency (MHRA), International Standards such as ICH Q10 (International Conference on Harmonisation), the European Medicines Agency (EMA) and the European Commission CE Marking, to list but a few! The following sections provide further information on the most commonly used standards and regulations ISO Quality Management System ISO (International Organization for Standardization) is the world s largest developer of voluntary international standards. International standards give state of the art specifications for products, services and good practice, helping to make industry more efficient and effective. Developed through global consensus, they help to break down barriers to international trade. It was founded in 1947, and since then has published more than 19,500 international standards covering almost all aspects of technology and business. From food safety to computers, and agriculture to healthcare, ISO international standards impact all of us. ISO certification can increase the effectiveness of your existing management systems and allow the organisation to become more efficient in the way it operates ISO 9001 ISO 9001 is the world s most established quality framework, focusing on effective management of business and meeting customers requirements. The standard is used in 175 countries worldwide and helps all kinds of organisations to succeed through improved customer satisfaction, staff motivation and continuous improvement. Refer to section 5 for more details on ISO Medical Devices: MDD 93/42/EEC, ISO 13485, IEC 62304, 510(K) The European Union Medical Devices Directive (MDD 93/42/EEC) covers a vast range of products from first-aid bandages and walking frames to CT scanners and implants. Given this wide range, it is not justifiable to subject all devices to the same levels of conformity assessment. It is important, therefore, that the level of control is matched, as far as possible, to the degree of risk inherent in the device. The core legal framework actually consists of 3 directives: Directive 90/385/EEC regarding active implantable medical devices Directive 93/42/EEC regarding medical devices Directive 98/79/EC regarding in vitro diagnostic medical devices Attempts were therefore made to set the controls relative to the perceived risk in an effort to make them as relaxed as possible (to ease the bureaucratic and financial burdens on business) and as strict as necessary (to ensure that the health of the patient and user is adequately protected). The classification of devices is therefore a risk-based system. The criteria for classification are described in Annex IX of the Medical Devices Directive. General medical devices are grouped into four classes as follows: Class I generally regarded as low risk Class IIa generally regarded as medium risk Class IIb generally regarded as medium risk Class III generally regarded as high risk BUILDING TECHNOLOGY BUSINESS Copyright 2014 Compliance Control Ltd.

9 9 Classification of a medical device depends upon a series of factors, including: How long the device is intended to be in continuous use Whether or not the device is invasive or surgically invasive Whether the device is implantable or active Whether or not the device contains a substance, which in its own right is considered to be a medicinal substance and has action ancillary to that of the device. The difference between each class rests in the choice of conformity assessment procedures available. The section Conformity assessment and the CE Mark in the Medical Devices Directive has a description of the various conformity assessment routes available to manufacturers. It is the stated intended purpose of the device, assigned by the manufacturer, which determines the class in which a device is categorised. See Within the medical device sector, ISO takes the fundamental requirements of ISO 9001 and relates it to the production of medical devices, in-vitro medical devices and implantable active devices. For companies manufacturing devices to be CE marked for sale in Europe, implementation of ISO provides the simplest solution to meeting the requirements of the European Medical Device Directives. In some cases, medical devices contain software and the International Electrotechnical Commission (IEC) standard specifies software development life cycle requirements for the development of medical software and software within medical devices. To market a device in the USA, the USA section 510(k) of the FDA Act requires device manufacturers to notify the FDA, at least 90 days in advance, of their intent to market a medical device. This is known as PreMarket Notification also called PMN or 510(k). It allows the FDA to determine whether the device is equivalent to a device already placed into one of the three classification categories. Thus, new devices (not in commercial distribution prior to May 28, 1976) that have not been classified can be properly identified. Any device that reaches the market via a 510(k) notification must be substantially equivalent to a device on the market prior to May 28, 1976 (a predicate device ). If a device being submitted is significantly different, relative to a pre-1976 device, in terms of design, material, chemical composition, energy source, manufacturing process, or intended use, the device nominally must go through a PreMarket Approval, or PMA. A device that reaches the market via the 510(k) process is not considered to be approved by the FDA. Nevertheless, it can be marketed and sold in the United States. They are generally referred to as cleared or 510(k) cleared devices CE Mark The CE marking, or formerly EC mark, is a mandatory conformity marking for certain products sold within the European Economic Area (EEA) since The CE marking is found even on products sold outside the EEA, because they are either products manufactured in the EEA and have been exported, or they were manufactured in other nations which have EEA as a prime market. This makes the CE marking recognizable worldwide even to people who are not familiar with the European Economic Area. There are certain rules underlying the procedure to affix the marking: Products subject to certain EC directives providing for CE marking have to be affixed with the CE marking before they can be placed on the market. Manufacturers have to check, on their sole responsibility, which EU directives they need to apply for their products. The product may be placed on the market only if it complies with the provisions of all applicable directives and if the conformity assessment procedure has been carried out accordingly. The manufacturer draws up an EC declaration of conformity and affixes the CE marking on the product. If stipulated in the directive(s), an authorised third party (notified body) must be involved in the conformity assessment procedure. If the CE marking is affixed on a product, it can bear additional markings only if they are of different significance, do not overlap with the CE marking and are not confusing and do not impair the legibility and visibility of the CE marking. Good Practice Guide: Electronic Quality Management System for SME s

10 10 Since achieving compliance can be very complex, CE marking conformity assessment, provided by a notified body, is of great importance throughout the entire CE marking process, from design verification and set up of the technical file to the EC Declaration of Conformity. Responsibility for CE marking lies with whoever puts the product on the market in the EU, i.e. an EU-based manufacturer, the importer or distributor of a product made outside the EU, or an EU-based office of a non-eu manufacturer. The manufacturer of a product affixes the CE marking to it but has to take certain obligatory steps before the product can bear CE marking. The manufacturer must carry out a conformity assessment, set up an electromagnetic comprehensiveness technical file and sign an EC declaration of conformity. The documentation has to be made available to authorities on request Environmental Standard: ISO For organisations that want to prove their green credentials, ISO is the international standard that helps businesses with implementing an Environmental Management System, including producing an environmental policy and objectives. The standard can be used to implement an environmental management system from scratch or improve on an existing one, whilst taking account of diverse geographical, cultural and social conditions that may exist in business Laboratory Standards: ISO ISO is the main standard used to assess the competence of testing and calibration laboratories. The standard itself comprises five elements that are scope, normative references, terms and definitions, management requirements and technical requirements. The two main sections in ISO are management requirements and technical requirements. Management requirements are primarily related to the operation and effectiveness of the quality management system within the laboratory. Technical requirements include factors which determine the correctness and reliability of the tests and calibrations performed in laboratories Occupational Health and Safety Advisory Services, BS OHSAS OHSAS is a British Standard for occupational health and safety management systems. It exists to help all kinds of organisations put in place demonstrably sound occupational health and safety performance. It is widely seen as the world s most recognised occupational health and safety management systems standard IT Service Management: ISO ISO is the first international standard for IT service management. It was developed in 2005, and revised in It is based on, and intended to supersede, the earlier BS that was developed by BSI Group. ISO :2011 ( part 1 ) includes the design, transition, delivery and improvement of services that fulfil service requirements and provide value for both the customer and the service provider. This part of ISO requires an integrated process approach when the service provider plans, establishes, implements, operates, monitors, review, maintains and improves a service management system (SMS). The 2011 version (ISO :2011) comprises the following nine sections: scope, normative references, terms and definitions, service management system general requirements, design and transition of new or changed services, service delivery processes, relationship processes, resolution processes and control processes. BUILDING TECHNOLOGY BUSINESS Copyright 2014 Compliance Control Ltd.

11 Information Security Management: ISO ISO is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005, Information Technology, Security Techniques, Information Security Management Systems, Requirements. This standard was updated on 25th September 2013 and is now known as ISO/IEC 27001:2013. ISO/IEC formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. The standard includes the following: Information security leadership and high-level support for policy Planning an information security management system; risk assessment; risk treatment Supporting an information security management system Making an information security management system operational Business Continuity Standard: ISO ISO is the business continuity standard for management systems, it supersedes BS which was the world s first British Standard for business continuity management. ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise Integrated Quality Management System (PAS 99) The more management systems an organisation has in place, the more the business could potentially benefit. However, managing several Quality Management Systems with areas of overlap and duplication has often been confusing and expensive. Recently the British Standards Institute has created PAS 99 which is a specification for integrated management systems. This takes the hard work out of managing more than one certified system at the same time. PAS 99 integrated management systems allow an organisation to streamline the way it operates, aligning all common standard requirements, and cutting the cost of separate audits and administration. The PAS 99 details one system that provides one set of documentation, policies, procedures and processes for all of their management systems. It was developed using the ISO guide for writing management system standards and typical integrated management systems might include ISO 9001 Quality Management, ISO Environmental Management, BS OHSAS Occupational Health and Safety Management, IS0/IEC Information Security Management, ISO/IEC IT Service Management, ISO Food Safety Management and BS ISO Business Continuity Management, etc. An integrated management system, therefore, is better for businesses as it is much simpler to meet all standard requirements using one set of policies and procedures. Multiple systems can be audited at the same time and staff can be trained to use more than one system at a time saving money and boosting both performance and efficiency. Communication also improves when companies are working towards a common set of objectives, giving clearer roles and responsibilities. Plus, administration becomes easier when all systems can be managed using the same processes (and a single electronic system, see below) making sure that actions support or enhance each system. All of this points toward continual investment and improvement, which can give customers, stakeholders and suppliers greater confidence in the organisation s ability to deliver integrated and effective management systems. Good Practice Guide: Electronic Quality Management System for SME s

12 ICH Q10 Pharmaceutical Quality System The official title is: Expert Working Group (Quality) of the International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (ICH). This internationally harmonised guidance is intended to assist pharmaceutical manufacturers by describing a model for an effective quality management system for the pharmaceutical industry, referred to as the pharmaceutical quality system, which is called the ICH Q10 model. ICH Q10 describes one comprehensive model for an effective pharmaceutical quality system that is based on International Organization for Standardization (ISO) quality concepts, includes applicable good manufacturing practice (GMP) regulations, and complements ICH Q8 Pharmaceutical Development and ICH Q9 Quality Risk Management. ICH Q10 is a model for a pharmaceutical quality system that can be implemented throughout the different stages of a product lifecycle. Much of the content of ICH Q10 applicable to manufacturing sites is currently specified by regional GMP requirements. ICH Q10 is not intended to create any new expectations beyond current regulatory requirements. Consequently, the content of ICH Q10 that is additional to current regional GMP requirements is optional GMP, GxPs Good Manufacturing Practices (GMP) are the practices required in order to conform to guidelines laid down by agencies which control authorisation and licensing for manufacture and sale of food, drug products, and active pharmaceutical products. These guidelines are laid down with the intention of providing minimum requirements that a pharmaceutical or a food product manufacturer must meet while manufacturing drugs or food products, which then assures that the products manufactured/produced are of high quality and do not pose any risk to the consumer or public. In the United Kingdom, the Medicines Act (1968) covers most aspects of GMP in what is commonly referred to as The Orange Guide, which is named so because of the colour of its cover; it is officially known as Rules and Guidance for Pharmaceutical Manufacturers and Distributors. Within the European Union, GMP inspections are performed by National Regulatory Agencies e.g. GMP inspections are performed in the United Kingdom by the Medicines and Healthcare products Regulatory Agency (MHRA). GMPs are enforced in the United States by the U.S. Food and Drug Administration (FDA). The regulations use the phrase current good manufacturing practices (cgmp) to describe these guidelines. Other good practice systems, along the same lines as GMP exist, and are often referred to as GxPs: Good Laboratory Practice (GLP), for laboratories conducting non-clinical studies (toxicology and pharmacology studies in animals); Good Clinical Practice (GCP), for hospitals and clinicians conducting clinical studies on new drugs in humans; Good Distribution Practice (GDP) deals with the guidelines for the proper distribution of medicinal products for human use. All the above follow a similar core of Quality Management System processes but also have key focused procedures and processes on the differing practice. BUILDING TECHNOLOGY BUSINESS Copyright 2014 Compliance Control Ltd.

13

14 ISPE GAMP 5 Good Automated Manufacturing Practice (GAMP ) is both a technical subcommittee of the International Society for Pharmaceutical Engineering (ISPE) and a set of guidelines for manufacturers and users of automated systems in the pharmaceutical industry. More specifically, the ISPE s guide: The Good Automated Manufacturing Practice (GAMP ) Guide for Validation of Automated Systems in Pharmaceutical Manufacture, describes a set of principles and procedures that help ensure that pharmaceutical products have the required quality. One of the core principles of GAMP is that quality cannot be tested into a batch of products but must be built into each stage of the manufacturing process. The latest release GAMP 5 is titled: A risk based approach to Computer Systems Validation. GAMP is a guideline that describes how to validate computer systems, i.e. provide documented evidence to prove that computer systems in the pharmaceutical industry work according to agreed specifications. 5. Part 2: Paper Based Quality Management Systems Let s take ISO 9001 as the key and core starting point for a Quality Management System which focuses on measurement, monitoring, improvement and adequate resources to ensure the improvements are made. The core of a Quality Management system is normally a Quality Manual. This is a document created using a standard word processor and typically ranges from 5 25 pages. It is really a high level summary of the management system that is being adopted and often refers to the high level standard that you are aspiring to conform to. Using ISO 9001 as a baseline, then this will also detail the management structure and who is responsible for managing the quality system, normally referred to as the Quality Manager. The list below details the 19 core elements of 9001, most other quality management systems cover more or less the same areas that are normally found in a quality manual. The quality manual is typically a high level reference point, where the actual detail is then found in further procedures or Standard Operating Procedures (SOP s): Quality Manual Management Structure Documentation Records Management Change Control Customer Relationship Management Products and Service Delivery Products and Service Development Environment Management Human Resources Supplier and Outsourcing Management Equipment Maintenance and Calibration Purchasing Monitoring of Customer Satisfaction Internal Audits Monitoring Production and Service Delivery Analysis of Performance of the QMS Corrective Action and Preventative Action Management Review Typically, there are two key aspects to a quality management system: The first aspect is: What does your business do, and how does it carry it out on a day-to-day basis? Is it a service/consultancy business designing a new product? A laboratory sample testing facility? Or a manufacturing facility? Each business is different and thus the processes are documented in standard operating procedures. These procedures describe in detail how your business functions on a day-to-day basis. Once the procedures have been written, formal training records are required to provide evidence that the training has been carried out adequately. All these procedures need to conform to your documentation standards procedure that has been previously created, reviewed and approved. As well as procedures, a whole series of forms are required to track and record the documented evidence, in ISO 9001 this is called records management. External auditors must have documented evidence that actions and activities have been carried out. BUILDING TECHNOLOGY BUSINESS Copyright 2014 Compliance Control Ltd.

15 15 The second aspect is: The standard quality processes that are required across all businesses in all different industry sectors. Typically, these are: Documentation Management, Control and Issue Records Management, including training records Change Control Management Monitoring of Customer Complaints Internal Audits Non Conformance Corrective Action and Preventative Action Once the above processes are in place and the quality manual and procedures have been reviewed and approved then internal auditing can take place, which is a systematic check of each part of the quality system and processes. Setting up a Quality Management System will require numerous procedures, forms, records and processes adding up to a lot of paperwork! In a paper based quality management system the following images can apply. Figure 5: Example of paper based systems. Set of ring binders In-tray piled up with paper documents and forms Quality Manager preparing for an audit Organised filing cabinet 5.1. Managing Paper Based Quality Management Systems Most paper based quality management systems in SMEs use a base of electronic systems. A combination of word processors, spreadsheets and ad hoc databases are used, all running on an informal IT Infrastructure. The core base documents are stored on desktops, laptops, servers, etc. In some cases this is in an organised folder structure, in other cases less organised. Often, there is no formal backup and system security strategy and no protection or traceability on who edits, updates and deletes files and other quality records. In some cases the IT department or just someone with some IT skills can quickly create a simple database application to manage some of the quality records required (as a quick fix). Quickly, however, this becomes problematic as there are then issues about access control to the system, who manages and maintains the system and the initial short term (quick fix) benefits are quickly lost and overtaken by complex IT development and support issues. Figure 6 is an example of how ad hoc spreadsheets and databases can result in a diverse and unintegrated system. Such an ad hoc system is very difficult to maintain, particularly as a company grows, and if in a formally regulated industry such as MHRA, FDA, etc then the following example is more or less unvalidatable, hence the data residing within the systems cannot be used as evidence during regulatory inspections. Hence SMEs either have a stand alone paper based system or there are often two systems running in parallel; a simple paper based system and the ad hoc, hybrid, unvalidatable system. Good Practice Guide: Electronic Quality Management System for SME s

16 16 Figure 6: Example of ad hoc, hybrid, unvalidatable system. Excel Spreadsheets Quality Management System Change Control System Disparate System Training Records Project Documentation Whilst in some cases the Quality Administrator or Document and Records Administrator may be extremely efficient and well organised, it is still potentially difficult to find documents and forms and to search for information within documents and forms. In a small organisation, many ring binders are often found with the latest version of standard operating procedures. One small organisation of less than 100 Issue Tracking System people had 30 Ring Binders spread around in different locations. The administrative burden took at least 2 days a month to keep these binders up to date by adding in new and updated procedures, and removing redundant procedures. Not only was this costing time and money for administration but also the cost of printing and paper. It also leads to unfortunate errors, as managing such a system is prone to human error Some Key Problems with paper based Quality Management Systems The use of Key Performance Indicators (KPIs) to provide visibility and to demonstrate the level of quality of an organisation is difficult using a paper based system. Electronic Quality Management Systems provide visible KPIs to management. Staff using information management systems to help follow quality processes and procedures can help to improve visibility and levels of quality. Searching for documents and forms is impractical with paper only based systems. Documents and forms sent round for review and approval are not trackable. Often documents can be hidden in in-trays (Figure 5). BUILDING TECHNOLOGY BUSINESS Copyright 2014 Compliance Control Ltd.

17 17 As businesses grow it is increasingly difficult to manage the numerous spreadsheets and ad hoc databases that are created to manage quality documents, processes and records. Figure 7: Tip of the Iceberg. For clients with FDA, MHRA and other similar regulatory requirements it is virtually impossible to validate an ad hoc, bespoke IT system used to store Quality Management Systems documentation. IT Infrastructure and Network (and formal Qualification) is vital to ensure good access and security and the costs associated with this are burdensome for small businesses. In many cases paper based systems cannot be managed and controlled well and unless there is true overall visibility of all quality records and data then an organisation could well have serious quality issues. This is often called the Tip of the Iceberg (Figure 7). Whilst maybe 10% of the quality issues are visible (above the water), 90% of the quality issues are invisible (under water in the hidden paper chase). 6. Part 3: Electronic Quality Management Systems (EQMS) 6.1. What is an Electronic Quality Management System? While the general principles of quality management have remained consistent for many years, the IT and electronic systems and solutions used to ensure the production and delivery of high quality products and processes across the value chain have changed drastically. Companies initially developed spreadsheets and ad hoc database management systems, which were used to manually monitor and analyse quality data. With developments in technology, there was a movement toward companies either implementing point quality solutions (many of them home grown) or quality specific modules in ERP systems to manage quality. In both cases, the vast majority of companies failed to meet the business and technical requirements of global manufacturing companies with respect to a Quality Solution. As a result, many organisations now have a disjointed, broad set of systems that don t easily communicate with one another. Improvements with these systems are often localised, lacking the global visibility needed to truly manage quality. With the need in the market, a new software category has emerged: Electronic Quality Management Systems (EQMS). (In some cases EQMS can also stand for Enterprise Quality Management Systems). In essence, an EQMS is a software solution specifically designed to manage Quality Processes, Documents, and Data What is an EDMS? A Document Management System (DMS) is a computer system (or set of computer programmes) used to track and store electronic documents. It is usually also capable of keeping track of the different versions modified by different users. Today, most of these systems are referred to as an Electronic Document Management System. An EDMS is a core part of an Electronic Quality Management System. Good Practice Guide: Electronic Quality Management System for SME s

18 Structured and Unstructured Documents and Data In some cases an EDMS can be just a folder structure or repository for documents. In this case, documents are dragged and dropped into folder structures that have some simple organised hierarchy. In this case there are often intelligent search engines that can access the content of the document and the document properties. This is often referred to as Unstructured Documents. However, it is also possible when adding documents to an electronic system to add additional data fields as part of the document. This is often called Structured Documents, or Metadata. Additional data such as document owner, reviewer and approver can be added, and electronic signature records, along with many additional data fields such as required by date, review by date, document expiry date, document version number, document reference number, etc. When selecting an EDMS it is important to ensure that there is the ability to add structured data, so that metrics and a dashboard can be made available showing trending information and providing the ability for an alert/traffic light system to manage and monitor document status. In a similar way, it is important to ensure that there is sufficient capability of the EQMS to ensure that data fields can be added to quality management records, such as data for CAPA, Customer Complaints, Training Records, Change Control, Audits, etc. If this data is stored in a structured way then, as above, the information can be trended and made visible via a simple dashboard. (Current simple paper based systems, with a series of spreadsheets in use to manage this aspect of quality and provide simple visibility is difficult, time consuming and not a validatable option.) 6.2. What regulations apply to an EQMS? There are no real regulations that need to be applied to the set up and configuration of a relatively generic user of an Electronic Quality Management System, such as set up and configuration for ISO 9001 or However, if an independent auditor is presented with evidence of conformance, and this is only from the EQMS IT system, i.e. there are no paper printouts, then the auditor may request some form of evidence that the IT system has been set up and configured correctly. However, with respect to organisations that comply to GMP, evidence of Computer System Validation is required. The main US FDA regulation to control Electronic Records is 21 CFR Part 11. This regulation is similar to the EU Eudralex, rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11: Computerised Systems. The EU annex applies to all forms of computerised systems used as part of GMP regulated activities. It states: The application should be validated; IT infrastructure should be qualified and where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process Electronic Records and Electronic Signatures There is often confusion regarding this topic and there are numerous regulations from wide industry sectors. If we consider organisations that need to comply with GMP, then the EU Eudralex Volume 4, Annex 11, and US FDA 21 CFR Part 11, are again the key regulations in this sector. Conformance to these regulations as in most cases, they are quite stringent rules and regulations would ensure that you are compliant with most other industry regulations. With respect to Annex 11, put very simply, if you are using an electronic system to store quality critical records, in particular critical product or patient data, then you can use such a system to provide evidence of your Quality Management System, only if the electronic system has been validated and it is running on a formally qualified IT and Network Infrastructure. In essence, and very simply, once logged into a system, when asked to approve a record by signing electronically, e.g. a document, CAPA, outstanding audit action, etc. the user simply has to re-enter their username and password and a reason/objective/capacity for signing. BUILDING TECHNOLOGY BUSINESS Copyright 2014 Compliance Control Ltd.

19 19 There are many additional software systems such as EchoSign, Cosign, Docu-Sign, etc that allow a user to establish a secure signature system and there are many other types of systems using swipe cards, biometrics, finger/thumb prints that are far too numerous and cover a much wider topic than required in this document Does an EQMS need to be Validated, and if so, how? The following section explains why, in some cases, EQMS systems must be validated, what validation means, and what the impact is on timescales and costs. In many cases, start-up companies that are still in an R&D phase, or perhaps creating a medical device requiring a CE mark, do not by law require an Electronic Document Management System to be validated. However, in terms of IT software procurement it is sensible to say that validating such a system is good practice. However, if your organisation is GMP, i.e. manufacturing products that are part of clinical trials or being manufactured for end user consumption, i.e. patients, then Eudralex, The Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11: Computerised Systems, comes into force (21 CFR Part 11, if exporting to the USA). Annex 11 applies to all forms of computerised systems used as part of GMP regulated activities. The following are extracts taken from the regulation A computerised system is a set of software and hardware components which together fulfil certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process What is Validation and What is Computer Systems Validation? The FDA Guidelines on General Principles of Process Validation, May 1987, defines validation as: Establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its pre-determined specifications and quality attributes. In the pharmaceutical, medical device, and other regulated industries such as food, blood, tissue and clinical trials, validation is the documented act of demonstrating that a procedure, process, and activity will consistently meet the expected results. It often includes the qualification of systems and equipment. It is a requirement for good manufacturing practice and other regulatory requirements. Since a wide variety of procedures, processes, and activities need to be validated, the field of validation is divided into a number of subsections including cleaning validation, process validation, analytical method validation, equipment, and computer system validation (CSV, GAMP 5). The activity of qualifying systems and equipment is divided into a number of subsections including the following: Validation planning Design qualification (DQ) Installation qualification (IQ) Operational qualification (OQ) Performance qualification (PQ) Validation reporting The above therefore applies to the validation of an Electronic Quality Management System. The ISPE GAMP 5 provides excellent guidance on how to validate software systems and provides the following table of software categories to help, Figure 8. Most of the EQMS solutions available today are in fact GAMP category 4 or 5, i.e. highly configurable, customisable, or bespoke. The majority of the Tier 1 vendors provide such software so that it can map onto typically larger and global pharmaceutical, medical device and similar organisations. In GMP organisations these systems must be validated, and GAMP category 4 and 5 systems take much longer and are more expensive to validate. Good Practice Guide: Electronic Quality Management System for SME s

20 20 Figure 8: GAMP software categories. Category GAMP 5 1 Infrastructure Software (OS, middleware, etc) 2 No longer used 3 Non-configured Software 4 Configured Software 5 Custom Software Implementing an EQMS becomes a project in itself, and following the GAMP guidelines needs a full validation lifecycle, starting with a validation plan, user requirements specification, functional design/configuration design, several layers of test specifications and protocols, etc. With reference to Figure 1 it is no surprise therefore that the perception of implementing an EQMS is time consuming, and expensive, particularly if it has to be formally validated. SMEs, until recently, have not been aware that GAMP Category 3 Electronic Quality Management Systems are now available, and as there is very little configuration the costs are also much smaller and easily affordable for the SME market. Figure 9: Software Categories & Validation Effort. Infrastructure Software (Middleware, OS, etc) Non-configured software Configured software Custom software Qualification of Network and IT Infrastructure Also, there is the complication of on-premise solutions (i.e. where the application is running on a server managed by the user, on the user s site). For most SMEs, managing an internal IT infrastructure has many potential problems. (See Figure 10). This is not cost effective and thus normally rules out on-premise solutions for an EQMS. For GMP organisations, there is also the regulation that the underlying IT infrastructure and network must be qualified. As part of the improvement over the past few years in IT Networks, Communications, Security, Speed, Reliability, etc we can therefore move our focus to cloud based solutions, or preferably Software as a Service (SaaS) and the advantages and opportunities that this offers SME organisations for systems such as an EQMS. See Section 6.5. As detailed above, Eudralex, Volume 4, Annex 11 states that a computerised system which fulfils certain functionality used as part of a GMP regulated environment must be validated and the IT Infrastructure should be qualified. This applies to on-premise solutions, i.e. the hardware and servers are stored and maintained at your facility. Software as a Service solutions for an EQMS ensures that such IT Infrastructure and Network is already fully qualified and this complies with the regulatory requirements. IT Support Staff IT Infrastructure Backup Security, Access and Data Air Conditioning Fire Walls Fire Disaster Recovery Maintenance Network Performance Qualified (Installation Qualified) BUILDING TECHNOLOGY BUSINESS Copyright 2014 Compliance Control Ltd.