Best Practices for Compliance in Digital Transformation, Part 2 of 2
Okay, so let’s not spend too much time on preamble before we get into the meat of the subject, but thanks for coming back to part 2 in this series. If you haven’t checked out part 1 yet, I would recommend going back and reading that here so you can get a little context as well as view the first 3 best practices recommendations as you undergo digital transformation, or begin to adopt a more digital approach to your software quality compliance practices.
With that said, let’s jump right back into it and hit the remaining 6 best practices recommendations…..
4) Develop a Comprehensive Project Plan
There are many elements of a master CSV plan, but a comprehensive plan should include these key items:
- Project Scope
- Complete inventory of all GxP systems
- Testing approach – includes development of scenarios, cases and scripts
- Requirements traceability matrix – connects requirements, design and test elements
- Testing team and responsibilities
- System acceptance and release (including e-signatures)
- Data archiving – to ensure security, integrity and compliance
5) Create an Effective Team
Your team should consist of all key stakeholders:
- Business/User: The person that owns and user the data. In cases where the data is transitional or integrated to other systems, multiple business/users should be incorporated into the team.
- Note: most organizations cannot afford to allocate one person from each technical group or department into the project. The technical SME that represents the function team MUST have access to and utilize the sub-technical groups during the process, so the best solutions are fit the organization.Technical team members: This is a broad category that needs to have at least representation from a collective team that understands the entire data integrity process. For example, this could include infrastructure, database, web services and/or deployment, security, application-specific and potentially data migration subject matter experts.
- Quality/Compliance team members that are separate from Validation/Testing team members: In many organizations, people with CSV experience and knowledge of regulatory guidelines and compliance also have validation procedures and technology expertise. However, it is best to have a separation at the application level to ensure that best validation strategy and testing strategies are implemented with an oversight review by a second party.
- Project Managers: They should not only be versed in PMP activities but should have ample understanding of the technical and compliance needs of the solution in order to push and maintain balance of the team. Team collaboration and communication is best when completely transparent. Deliverables and risks associated with the timeline and/or solution should be proactively communicated up and down the organization to be able to adjust and shift dependencies as necessary.
6) Record the Validation Process
This includes maintaining current information about various systems and how they are maintained in a validated state throughout the system lifecycle. System design and configuration specifications should also include secure, protected computer-generated audit trails to track changes to these systems. It is important that records are detailed enough to pass any audit by regulatory agencies.
Key mistakes to avoid: There is often great debate about what/where/when validation relevant data is captured (in what system), and who records versus who approves. The most important point is that it gets done – contemporaneously! The rise for perfection is NOT essential. Mangers should push forward with an 80:20 mentality – ensuring critical elements are present and that true key subject matter experts are positioned in the process for review and approval. Once a consistent, robust process is in place, continuous process improvements are much easier to roll out.
7) Audit all Third-Party Providers
Your organization should conduct an evaluation of – and record – all vendor-supplied systems and quality systems. This would include all vendor-supplied and vendor-managed computerized systems, as well as all system components. This evaluation may include an on-site audit of the vendor facilities to evaluate their system’s lifecycle control procedures, practices and records.
Your organization or any manufacturer of FDA regulated products is ultimately responsible for the integrity of the data that supports the product’s safety and efficacy. This may include third-party vendor or service providers depending on how your contracts with these organizations are written.
Key mistakes to avoid: Quality/Supplier Agreements – in addition to your standard vendor-managed services agreements – can minimize confusion and liability if an issue arises. A Quality Agreement clearly defines what the vendor is responsible for and what the organization is responsible for. This is not just for a SaaS solution; many other solutions that require configuration should take a proactive look at vendor/supplier agreements. Many contractor officers or procurement officers are still not yet familiar with the complex need of software/data that is provided to the organization. The overall “system” data mapping can assist contract personnel in assuring the best protections are written into the contract from the start.8) Implement Consistent Periodic Reviews
At the Very least, a thorough review performed every year is essential to make sure that all systems comply within best practices of changing technology, people, and methodologies. Keeping your organization up to date in the latest data practices and how the business users are truly using their data are equally critical to make sure the right policies and procedures are in place.
Key mistakes to avoid: Sadly, periodic reviews are the first item to be de-prioritized within organizations as staff tend to be burdened with other, more pressing timelines. Internal reviews are essential to shift the common culture to maintain compliance and needs to be a priority from the top down.9) Provide Regular, On-going Training
From our perspective, training is one of the most important parts of the CSV process. Over 90% of all mistakes are due to human error. While regular training is often discounted by company management, it is singularly the most common – and most easily avoided – problem in the CSV landscape.
Key mistakes to avoid: The regular influx and exit of consultants and/or employees involved in these projects make training very difficult to keep relevant. Dedicated compliance training teams are necessary to keep up with the volume of demand for training, as well as to ensure appropriate time is allocated for training.
As industry regulations and life sciences companies continue to transform and evolve, the process of validation must follow an agile transformation approach to stay current and compliant. The key is having the right people, processes and technology in place to address these challenges. Having a solid CSV foundation and framework in place can protect your company and assets while putting your organization miles ahead of the competition.
While this may have been an abbreviated overview and I wasn’t able to get into or go in depth on every element of computer system validation, I hope you found this informative and helpful. As always, please feel free to reach out if you would like more information on this topic.
Also, we recently hosted a webinar on SDLC Modernization along with Allergan and much of the content ties in with this series. You can view it at the link below if you are interested.
Jason Secola manages content marketing and channel activities at Tx3 Services and has been with the company since 2016. Jason began working with the larger portion of the existing Tx3 team dating back to 2007 when he got his first start in the world of application testing and later began a focus on testing in a regulated environment. He currently resides near Sacramento, CA.
Jason Secola manages content marketing and channel activities at Tx3 Services and has been with the company since 2016. Jason began working with the larger portion of the existing Tx3 team dating back to 2007 when he got his first start in the world of application testing and later began a focus on testing in a regulated environment. He currently resides near Sacramento, CA.View all posts by Jason Secola