Understanding Compliance

What is Quality Compliance?

Quality Compliance is the ongoing practice of producing goods or services that serve their intended purpose while complying with established regulatory and company requirements.

In the pharmaceutical and health care industries, there are many governing regulatory entities, each with specific requirements for safety, quality, consistency, and control regarding all aspects of business, including design, production, testing, documentation, maintenance, security, training, and communication with clients, end users, and third parties.

In addition to providing good business practices, these requirements are ultimately essential for product integrity and the safety of a patient, customer, or end user.

Achieving and Maintaining Compliance

Achieving compliance includes determining what regulatory requirements are applicable, defining the Quality Program, validating and/or remediating systems and software, and documenting and approving all policies, procedures, and validation and testing documentation to support these endeavors.

Maintaining compliance is the key to long-term success. To maintain compliance, all policies and procedures must be followed in every aspect of the business from day to day. Tasks, system changes, and testing must be performed and documented as defined in the policies and procedures.

Being compliant is never finished. It is a state of being. It must be practiced every day by managing and documenting change controls and configuration changes, updating and managing documents, performing testing, adapting policies and procedures, performing periodic reviews, and validating major system upgrades.

It is pointless to create a set of policies and procedures and not adhere to them. Negative audit findings and disappointed customers can lead to a loss of business and a bad reputation in the industry.

GAMP

Good Automated Manufacturing Process (GAMP) is an internationally recognized set of principles and procedures that help ensure that pharmaceutical products meet the required quality standards.

One of the core principles of GAMP is that quality cannot be tested into a batch of product but must be built into each stage of the manufacturing process.

GAMP utilizes a risk-based approach to validation, allowing an organization flexibility and efficiency.

http://www.ispe.org/gamp-5

GxP

GxP is a collective term for a family of guidelines and regulations governing a broad range of elements in the manufacture of food and drugs.

GMP (Good Manufacturing Practices) guidelines define standards for manufacturing, testing, and quality assurance in order to ensure that a drug product is safe for human consumption.

GLP (Good Laboratory Practices) guidelines define standards for how non-clinical laboratory studies are planned, performed, monitored, recorded, reported and archived with regard to risks to the end user, the environment, and the organization.

GCP (Good Clinical Practices) guidelines define standards on how clinical trials should be conducted with regard to human safety and quality, reliable data.

GxP guidelines are enforced by multiple regulatory agencies.

Regulatory Agencies and Policies

Depending on the nature of the organization’s products and how they are used, any or all of the following may apply:

  • Federal Drug Administration (FDA) 21 CFR Part 11 (regulates electronic records and electronic signatures)
  • Federal Drug Administration (FDA) 21 CFR Part 820 (regulates quality systems pertaining to medical devices)
  • HIPAA (Health Insurance Portability and Accountability Act)
  • ISO (International Organization for Standardization) 13485 (regulates design and manufacture of medical devices)
  • ISO (International Organization for Standardization) 14155 (regulates clinical investigation of )

International endeavors may require adherence to foreign regulations as well, such as requirements dictated by the European Medicines Agency (EMA), the European equivalent to the U.S. Food and Drug Administration (FDA).

21 CFR Part 11

Part 11 of Title 21 of the Code of Federal Regulations (CFR) describes the U.S. Food and Drug Administration (FDA) requirements to implement controls for software and systems involved in processing electronic data.

Any software or system that is involved with the development, manufacturing, testing, or packaging a drug or substance for human use is subject to 21 CFR Part 11.

The purpose of 21 CFR Part 11 is to ensure control over electronic data, including audits, system validations, audit trails, electronic signatures, and documentation.

https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11

21 CFR Part 820

Part 820 of Title 21 of the Code of Federal Regulations (CFR) describes the U.S. Food and Drug Administration (FDA) requirements for the production of medical devices.

Medical devices are typically defined as physical objects that are used to monitor or administer a health care function.

Applications and software can also be considered medical devices if they are used to directly or indirectly affect a patient’s health status or activity.

https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=820

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) provides federal protection for individually identifiable health information.

The HIPAA Security Rule also specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.

Any system or software that stores, transmits, archives, or interacts with patient privacy data should be designed to adhere to HIPAA requirements.

https://www.hhs.gov/hipaa/index.html

ISO 13485 and 14155

ISO (International Organization for Standardization) is a set of proprietary, industrial, and commercial standards.

The commonly known ISO 9000 family of standards governs quality management.

ISO 13485 defines requirements for a comprehensive quality management system for the design and manufacture of medical devices. Similar to CFR 21 Part 820, ISO 13485 is an international standard.

https://www.iso.org/iso-13485-medical-devices.html

ISO 14155 addresses good clinical practice for the design, conduct, recording, and reporting of clinical investigations carried out in human subjects to assess the safety or performance of medical devices for regulatory purposes. This standard is applicable to any organization that conducts clinical trials / studies and their vendor and service providers.

https://www.iso.org/obp/ui/#iso:std:iso:14155:ed-2:v1:en

Quality Program

Quality Compliance is ensured by having and following a formal Quality Management System (QMS), also known as a Quality Program.

The Quality Program serves the following purposes:

  • To define the organization’s concept of quality (quality statement)
  • To describe the organization’s approach to complying with applicable regulatory requirements
  • To define the organization’s approach to creating and maintaining a thorough, consistent quality process
  • To describe how the organization will achieve these goals (policies, processes, and procedures)

The Quality Program consists of the following elements:

  • Evaluations and assessments
  • Risk management
  • Software Development Life Cycle
  • Configuration Management and Change Control
  • Computer Systems Validation
  • Document Management
  • Policies and Procedures

Evaluations and Assessments

Quality Compliance is ensured by having and following a formal Quality Management System (QMS), also known as a Quality Program.

The Quality Program serves the following purposes:

  • To define the organization’s concept of quality (quality statement)
  • To describe the organization’s approach to complying with applicable regulatory requirements
  • To define the organization’s approach to creating and maintaining a thorough, consistent quality process
  • To describe how the organization will achieve these goals (policies, processes, and procedures)

The Quality Program consists of the following elements:

  • Evaluations and assessments can be used to serve many purposes:
    • Determining scope and applicability for regulatory and quality requirements
    • Identifying risks, gaps, and potential weaknesses
    • Assessing adherence to existing regulatory requirements
    • Assessing adherence to internal policies and procedures
    • Developing plans for remediation or projects
    • Providing evidence to auditors and clients of the status of compliance

    Common evaluations include 21 CFR Part 11 assessments, Risk assessments, and Quality Program evaluations.

Risk Management

In order to ensure a balance between compliance and efficiency, all quality endeavors should be based on the concept of risk versus effort.The FDA actively promotes a risk-based approach.

Risk assessments are used to determine the regulatory status of a system or software, and to identify gaps.Identified gaps are used to determine necessary mitigation, such as the level of validation testing or the need for procedural documentation.

A fully validation and compliant product will appeal to a potential customer; a compliant vendor translates to less validation effort for the client.

Software Development Life Cycle

The key to maintaining control over any system or software and its associated data is a thorough, efficient, enforced software development life cycle (SDLC) process.

The SDLC defines every possible stage for the system, including planning, design, testing, implementation, feedback, and the ongoing process for changes and maintenance.

There are multiple types of approaches for SDLC management, such as waterfall or Agile. The approach chosen should best match the needs of the organization and the nature of the system and how it is managed.

Change and Configuration Management

In conjunction with a defined SDLC, change and configuration management ensure long-term integrity for the system and its associated data and documentation.

Configuration Management is the practice of handling changes systematically so that a system maintains its integrity over time. This includes establishing and maintaining consistency of a system’s performance, attributes, and management throughout its life.

Change Management is a process used to ensure that changes to the system are consistently introduced, approved, performed, testing, and documented throughout the life of the system.

Computer System Validation

Computer Systems Validation (CSV) is a subset of the Quality Program. It is the process for proving and documenting that a system functions as intended.

CSV refers to both the practice of performing validation activities and the set of documentation produced.

  • Planning
  • Requirements
  • Design
  • Testing
  • Supporting Documentation
  • Periodic Reviews

CSV is typically introduced before a new system or software is created, and validation activities are performed as the system is developed. The practice of performing “reverse” CSV on an existing system is called Remediation.

Audits

Audits may come at any time from a variety of sources.

Regulatory agencies may audit an organization at any time to assess compliance to regulatory requirements, adherence to internal policies and procedures, product quality, or integrity of data, privacy information.

Potential or existing clients may request an audit in order to determine or ensure that the product meets their needs.

Audit preparedness is essential for any organization. Internal audits should be established and performed on a regular basis, for the dual purposes of being ready for an external audit and for helping to ensure that the Quality Program is accurate, current, and enforced.

Clients in the life sciences industries expect a vendor to be prepared for auditing.

Record and Document Management

The management of official documents is essential to Quality Compliance.

The Quality Program must include a definition of all record and documentation types and how they are created, updated, approved, stored, maintained, disposed, archived, and retrieved.

Each record/document type must have a defined retention period based on regulatory and/or company requirements.

Physical and logical security must be defined for all record and document types, including access restriction and protection from destruction or deletion.

Policies and Procedures

Formally approved policies and procedures form the backbone of the Quality Program. Policies define an organization’s approach to quality and set forth standards for excellence. Procedures describe how these standards will be achieved.

Polices and Procedures should address the following at a minimum:

  • Quality Policy
  • Risk Management
  • Software Development Life Cycle
  • Document Management
  • Change and Configuration Management
  • Computer System Validation
  • Training
  • Vendor Management
  • Audit Preparedness

IT and Infrastructure Standards and Management