Whatever happened to the “paperless office”?

Validated Workflows: the New Paperless
Webinar – Thursday, October 24th 2019, 11am GMT

By Marta Rosa Spiga

Since the beginning of the great IT revolution, the complete digitisation of any document has been predicted as a point of arrival for business organizations, the most striking example of what is called the “Paperless Society”. In 1980 The Economist had published an article, “Towards the Paperless”, in which the advent of the computer was identified as the factor that would mark the beginning of the paperless office era and the triumph of data digitisation.

“We should ‘reduce the flow of paper, ultimately aiming to abolish it’,” the article said, boldly proclaiming the intention for a new future. More than 30 years later, The Economist asked: “WHATEVER happened to the “paperless office”? Since then, alas, global paper consumption has increased by half”.

According to Quocirca’s Global Print 2025 market insight the crucial role of innovation is well understood, but endorsing it is seen as a challenge, particularly amongst SMEs. A kind or revolution is expected, with 70% of industry executives predicting a major change to their business models due to external forces. Only 31% currently feel well-prepared to respond to the challenge.

The study covers 575 small, mid-sized and enterprise organisations across the USA and Europe. It analyses plans for investment in security, cloud, mobility, analytics and digitisation– all essential ingredients for flexible working, to ensure employees remain productive regardless of location. But if paper is our present, why can it not be our future? Why should we all be going paperless?

There are the primary forces challenging the status quo, like for example the rapid rise in mobility, the acceleration of digitisation and the shift to the ‘as-a-service’ economy. A new era of connectivity, collaboration and innovation is born. In fact, teams distributed across the world will require tools that allow a better collaboration, cloud services that help the digitisation of workflows, which will further contribute to a reduction in demand for print volumes.

Patrick Murray, the Compliant Cloud Technical SME for Pharma VIEW (Validated Integrated Enterprise Workflows) is speaking in a webinar on the 24th of October that will help you to understand the benefits of going paperless, using some common use cases as inspiration. Save the date and don’t miss the opportunity to know more about validated workflows, the new paperless.

Find more here:https://compliantcloud.com/webinar/

Interview With A Project Manager

Project Manager Andrius Ramanauskas describes his experience with Odyssey VC so far, from the early stages to the day-to-day and looking forward to the future.

What you were looking for from your application to Odyssey?

After I moved to Ireland from Lithuania, I was looking to progress my career in Project Management. I completed both the PRINCE2 and PMP project management qualifications to formalise my experience and approach to project management. I was essentially starting from scratch and wanted to work somewhere where I could take my newly acquired knowledge of the formal project management processes and build on it. Odyssey VC seemed like a very good place to begin that process. Working in the highly regulated environment of pharmaceuticals has been the best proving ground for me.

What was your first experience at Odyssey?

Odyssey VC was in the very early stages when I joined the company and it was fascinating to see the growth of an organisation. To join at that time was, and still is, very exciting; the ambition at the company is huge and you really do feel part of the bigger picture.

One of the initial and most important learnings for me has been the understanding of compliance and regulatory requirements within the industry. Coming from a general IT PM background, the step into compliance was a huge change. The regulatory requirements, which are as much a part of our experience as they are for our customers, is a big eye-opener. In my previous involvement with software development projects, there wasn’t a strong emphasis on documented control of design, test and release. Within the Life Sciences industry, the project management steps – especially around the control of change during the design process – have to be controlled and stand up to scrutiny from a regulatory audit perspective to ensure absolute traceability.

What training did you receive?

When starting with OdysseyVC there is an intensive induction programme that gives all new joiners a deep insight into the validation requirements to meet compliance standards in our industry. This is hugely beneficial and gives context to the activity we are working on. I have since trained in topics such as Quality Management Systems and Computerised System Validation.

What is a typical day like for you?

As a Project Manager you wear many hats! I am currently heavily involved in a significant project for one of our clients, which will impact their sites globally.

The Project Management Team has expanded recently and so there is now an element of mentoring that forms part of my role. This is to help the team understand the business objectives and define and build the formal process for project management within the company for internal and external projects. I am in regular contact with our global clients, both remotely and through site visits.

What do you appreciate the most about working at Odyssey?

The challenge! It is a fast-paced environment and completely engaging but I wouldn’t describe it as stressful – we do our best to take the stress out of situations by planning. We take a very pragmatic approach to problem-solving and designing solutions. There is huge opportunity within the company to get exposure to all elements of the business and to evolve and grow, personally and professionally.

What do you hope to achieve in the future?

I would like to see my career continue on the trajectory that it has taken so far. I am very interested in different project methodologies and their application for specific projects; there is no one best way. I hope to achieve certification in Agile Project Management, which I believe will deepen this understanding.

Lost in Space – Navigating the new IT landscape in the Life Science Industry

A perspective on trying to adapt to the ever-changing technologies and tools at our disposal in the life sciences sector.

How do we keep up with a speeding car that’s only getting faster? QA and Compliance Specialist Nicola Brady gives an outsider’s perspective on trying to adapt to the ever-changing technologies and tools at our disposal in the life sciences sector.

I’m not naturally tech savvy.  I’ll be the first to admit that I call the IT help desk whenever I encounter any issue with my computer – after I try to turn it off and on again, of course – so you’d hardly believe that I studied some computer science elements as part of my undergraduate degree in science.  I cast my mind back now to those classes on C+ programming, SQL and database design, biomedical imaging and emerging technologies, and I remember thinking “how is this science?”.  Now, the question is “how wrong was I?”

Science and information technology do not exist independently of each other. Look at the life science industry, for example; how would drug product development or drug product manufacturing be possible without the symbiosis of science and information technology? In fact, life science companies these days are investing more time, resources and effort than ever before in implementing and maintaining Information technologies to deliver safe, efficacious and affordable products to patients.  The information technologies and tools that I encountered during my studies may even be redundant now (I am not going to share how long ago that was!), as those technologies and tools are evolving so quickly that it is often difficult for organisations to keep pace. Should I have paid more attention? Perhaps, although I could argue that I know what I know, and I certainly know what I don’t know!

Over the course of my career in various Quality Control, Quality Assurance and Compliance roles in the life sciences sector, I have interacted as an end user with my fair share of information technologies and tools. I have supported validation and qualification activities, facilitated risk assessments, conducted investigations and audited the associated processes for these same technologies and tools. But these roles did not require me to be a software developer, or a programmer, or a system builder. There are many more skilled people suitable for performing these types of technical tasks. No, my role is about looking at these information technologies and tools relative to their intended use and application, asking the tough questions like, for example, how will we meet the regulatory requirements? How can we qualify or validate the technology for its intended use? How can we assure data integrity? What do we need to implement to monitor and control?

So, while I will try my best to embrace the new information technologies and tools as they emerge tools including cloud computing, data analytics, blockchain, IOT (Internet of Things) devices and even AI (Artificial Intelligence) –  I will most definitely stay on top of the changing regulatory landscape pertaining to their use in the life science industry.

A Guide to Validated Software as a Service (SaaS)

Validated Software as Service

Quality Assurance Specialist with Compliant Cloud Nicola Brady dives into the nitty gritty of Validated SaaS,
including what it involves, the elements of vendor evaluation, and the responsibilities associated with validation.

Software as a Service (SaaS) is a software deployment model where a vendor hosts a software application and makes it available over the Internet.  SaaS has become an essential distributed software deployment model for providers, and its acceptance has grown exponentially across organisations of all sizes and types.  Interestingly, new vendors, in any application market, tend to have SaaS as their only delivery model and that very fact presents a significant challenge to regulated Life Science companies in particular, who are traditionally very conservative in adopting new approaches and tend to retain many on-premise applications.

That said, Life Science companies are moving gradually and cautiously towards SaaS applications in an effort to reduce the costs associated with on-site software development and deployment models.  In addition to this, considering many new software applications are SaaS-only models, the Life Science sector will need to quickly develop the regulatory knowledge and IT / Compliance skills to
successfully utilise these new SaaS offerings in a “validated” and “compliant” way.While the regulated company is ultimately responsible for the validation of the SaaS to confirm fitness for intended use and the maintenance of its overall compliance, choosing the right SaaS vendor can go a long way towards lessening the validation burden.

The SaaS software deployment model makes the software available to all subscribers i.e. those that have agreed to
consume the service from the vendor. The application software is owned, delivered and managed by one or more providers.  A SaaS subscriber is exposed only to the application and its configuration and does not monitor, manage or control the underlying infrastructure (including network, servers, operating systems, storage, databases or application platform services) or software updates. This is a very critical point when we consider that Life Science companies must ensure that; ’The application should bevalidatedIT infrastructure should be qualified. ‘(EU GMP Annex 11)

The SaaS validation effort

For a standard software validation exercise the client has sole responsibility for the Software Development Lifecycle
(SDLC) and all the activities therein. For the validation of a SaaS application, a significant reduction in effort can be achieved through moving some of the validation activities to the vendor and leveraging vendor documentation. GAMP 5 states ‘maximize supplier involvement through the system lifecycle in order to leverage knowledge, experience and documentation subject to a satisfactory supplier assessment’ and ‘avoid wasted effort and duplication’ (GAMP 5)

The relative reduction in the validation
activities required, by the client/subscriber, to deliver a SaaS is heavily dependent on the quality of processes, documentation and controls in place at
the SaaS vendor.  Remember that it is a regulatory requirement that the software is validated, and the infrastructure is
qualified. Choosing to consume a SaaS software offering does not remove this regulation.  Selecting the right SaaS
vendor is key and any potential SaaS provider should be evaluated to confirm that their systems, processes and validation methodology are in alignment with the regulated company’s (client / subscriber) expectations.  

The regulations stipulate that a vendor audit or assessment be performed regardless of the degree or scope of
activities that the SaaS vendor will perform. 
This vendor evaluation is even more critical when a client / subscriber is looking to leverage the vendor activities to meet their validation
requirements.  The vendor evaluation should consider the following elements:

  • Software Development Lifecycle (SDLC) methodology
    & documentation
  • Project Management Processes
    • Personnel Qualifications (QA, Technical)
    • Documentation Standards & Procedures
    • Methods for Review & Approval
    • Design Standards
    • Configuration Management
    • Testing Standards
    • Clear separation of Development, Test and Production
      Environments
    • Change management processes
    • Corrective and preventive action processes
    • Training processes
    • Release documentation
    • Service Delivery Processes (Maintenance, Support)
    • Physical and logical security controls for system /
      data
    • 21 CFR part 11 compliance as applicable

Based on the data from the vendor audit or documentation evaluation, the regulated client/subscriber can then perform a risk assessment to document and determine the extent to which the vendor documentation can be leveraged to support the overall validation exercise for the SaaS.  The qualification of the host infrastructure must also be considered.  Table 1 below highlights the responsibilities associated with the validation exercise: 

Table 1: Typical Responsibilities for Validation of SaaS

A guide to validated software as a service

The contract with the SaaS provider

Under European Regulations, EudraLex Chapter
7, there are also very specific regulations concerning outsourced activities-which SaaS is considered- and adherence to these regulations must be provided
in evidence in the event of a regulatory inspector requesting this information.It is never sufficient in these circumstances to state that “the vendor looks
after that”.

Documenting the agreement or contract with the SaaS vendor is as, if not more, important than the validation exercise.  The contract should contain the following details at a minimum:

  • Ability of SaaS vendor to carry out the
    outsourced activity satisfactorily
  • Restriction on sub-contracting to third
    • parties
    • Restriction on unauthorised changes
    • Availability of the SaaS vendor for
      regulatory inspection

Remember, the SaaS vendor is not a regulated entity so the ultimate responsibility and accountability for the SaaS
lies with the regulated client / subscriber. While the responsibilities, communication processes and technical aspects of the contract are key, the
regulated client / subscriber’s quality system must be set up for control and review of the outsourced activities associated with the SaaS.  Only then can the potential risks associated with outsourcing software deployment to a SaaS vendor be mitigated.

 

What is 21 CFR Part 11?

 

Adam Lawler answers the big questions about one of the life science industry’s core tenets.

 answers the big questions about one of the life science industry's

 

The life sciences industry would be nothing without regulatory consistency and control, and one of the most significant forces governing the manufacture of pharmaceuticals is 21 CFR Part 11. The question is, what is it exactly? For such an important regulation it seems to be constantly shrouded in mystery and more than a fair share of confusion, and in this article we hope to answer the big questions about one of the industry’s core tenets.

In short, 21 CFR Part 11 is a section of the Code of Federal Regulations (CFR) which outlines the Food and Drug Administration’s (FDA) code pertaining to electronic signatures and electronic records. What does this mean? Basically, it amounts to accountability, traceability, and transparency. 21 CFR Part 11 clearly lays out the checklist for accurate electronic records and signatures, with the express intention of making sure that companies adhere to good practices when it comes to electronic data logging and maintenance, guaranteeing accuracy, mitigating potential cases of human error, and ensuring that any alterations made to an electronic document can be traced.

What counts as an electronic record? A simpler question would be what doesn’t; the definition is broad, encompassing everything from words to sound. More specifically, Part 11 defines an electronic record as “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” Traditional analogue methods of record-keeping are not exempt, as paper documents, when scanned into a computer, also fit under 21 CFR part 11 as soon as they are digitised.

Where did this law come from? The law originated from meetings between the FDA and pharmaceutical companies regarding how to deal with record-keeping when entering the hitherto nebulous electronic sphere. Eventually, after much refinement, 21 CFR Part 11 emerged as the proffered solution in its core version in 1997. The most significant alteration made to the law since then was in 2000, when the FDA acknowledged further-developing digitisation by officially stating the equivalence of paper records and electronic records, as well as of electronic signatures and traditional ink signatures. It should also be noted that there is a European equivalent to 21 CFR Part 11 called Annex 11, and, while extensive similarities exist, the requirements of the two do not entirely correspond, something we will explore at length in a later article.

Considering the unwieldy and outmoded nature of paper record-keeping and the ever-shifting electronic landscape, such a law could always stand to be further amended. Over the years, 21 CFR Part 11 has been supplemented by guidance documents relating to data integrity and data management practices from various bodies – including PIC/S, MHRA and WHO, as well as the FDA themselves who issued a draft guidance ‘Data Integrity & Compliance with CGMP’ in April 2016 – but as it stands, 21 CFR Part 11 is one of the longest standing and most influential laws in the life sciences industry pertaining to electronic data.

In a world without 21 CFR Part 11, the impact of human error would be much more significant, and the electronic landscape would remain an untameable beast with no guarantee of accountability or traceability. With it, navigating the overwhelming breadth of the digital realm is that much easier, the outcomes more accurate, and technology becomes just another tool in the belt of regulated record-keeping.

An Interview With An IT Compliance Specialist

An Interview With An IT Compliance Specialist
Having a compliance / validation company 35 minutes from my house with the exact role that I wanted was a great find!

Cormac O’ Leary tells us about his role with Odyssey VC and Compliant Cloud, speaking about how he got into the role, his experience so far, and hopes for the future. Compliant Cloud is a company formed by a group of engineers, consultants, designers, and quality people who have come from the Life Science sector and regulated sectors.

Tell us how you got into the role of IT Compliance Specialist at OdysseyVC!

I started working in IT Compliance in my previous job and wanted to dig a little deeper into the Compliance side of things as it really interested me. About a year ago I noticed that Odyssey VC were advertising a role. I applied for it and the rest is history. Having a compliance / validation company 35 minutes from my house with the exact role that I wanted was a great find!

After starting with OdysseyVC, I immediately completed training in industry-relevant areas such as GxP Application Life Cycle Management, Computerised Systems Validation and GDP (Good Documentation Practices), all of which have been essential in the role that I work in.

How would you describe your experience of the company so far?

My first impressions and experience of the company so far have been that they are very knowledgeable people. Understanding, accommodating and extremely welcoming – they are very enthusiastic about growing the business! I really appreciate how well we all work together as a team; everyone is willing to help out, even if it’s not their level of expertise, to find a way forward.

There is no such thing as a typical day but each day I spend time working through the tasks that I have assigned myself to work through, project tasks that support CompliantCloud.com. This involves creating and reviewing of qualified documentation packs to support the qualification process, which is a key element of CompliantCloud.com.

On top of that I am also a technical liaison for any of the Odyssey VC staff who require IT or Compliance guidance. This could be to assist with internal or on-going client projects.

What would you like to go on to achieve at the company?

Having recently assisted other colleagues on various client projects and tasks I am now looking to understand more about GxP systems in real world Life Sciences and Pharmaceuticals Industry and work more directly with our clients to support their projects.

Compliance By Design.

One of the challenges faced by traditionally conservative regulated industry is how to incorporate new innovations into existing regularly frameworks.While traditional IT companies and service providers may not be equipped to alleviate the concerns of Big Pharma’s transition into the cloud, emerging  companies like Compliant Cloud  are stepping up to the mark to seamlessly take care of the process while complying with the regulations.

The amount of information being handled by industry  is exploding – data volume continues to grow. Likewise, the need for computing power continues to grow, raising the amount of resources IT has to manage. Industries are always looking for better, cheaper, and faster solutions. It has become practice to outsource to specialised firms who can provide IT solutions more efficiently. Cloud providers offer extremely fast and flexible solution delivery, on-demand scalability and Business continuity solutions. They also allow easy solutions for backup and archive. All of these benefits, and more, are available for a considerably lower cost than traditional in-house computing solutions.

Compliant Cloud is a new innovative cloud computing qualified infrastructure that allows companies to be compliant in highly regulated environments.