Since the beginning of the great IT revolution, the complete digitisation of any document has been predicted as a point of arrival for business organizations, the most striking example of what is called the “Paperless Society”. In 1980 The Economist had published an article, “Towards the Paperless”, in which the advent of the computer was identified as the factor that would mark the beginning of the paperless office era and the triumph of data digitisation.
“We should ‘reduce the flow of paper,
ultimately aiming to abolish it’,” the article said, boldly proclaiming
the intention for a new future. More than 30 years later, The Economist asked: “WHATEVER
happened to the “paperless office”? Since then, alas, global paper consumption
has increased by half”.
According to Quocirca’sGlobal Print 2025 market insight the crucial role of innovation is well understood, but endorsing it is seen as a challenge, particularly amongst SMEs. A kind or revolution is expected, with 70% of industry executives predicting a major change to their business models due to external forces. Only 31% currently feel well-prepared to respond to the challenge.
The study covers 575 small, mid-sized and
enterprise organisations across the USA and Europe. It analyses plans for
investment in security, cloud, mobility, analytics and digitisation– all
essential ingredients for flexible working, to ensure employees remain
productive regardless of location. But if paper is our present, why can it not
be our future? Why
should we all be going paperless?
the primary forces challenging
the status quo, like for example the rapid rise in mobility, the acceleration
of digitisation and the shift to the ‘as-a-service’ economy. A new era of
connectivity, collaboration and innovation is born. In fact, teams distributed across
the world will require tools that allow a better collaboration, cloud services
that help the digitisation of workflows, which will further contribute to a
reduction in demand for print volumes.
Patrick Murray, the Compliant Cloud Technical SME for Pharma VIEW (Validated Integrated Enterprise Workflows) is speaking in a webinar on the 24th of October that will help you to understand the benefits of going paperless, using some common use cases as inspiration. Save the date and don’t miss the opportunity to know more about validated workflows, the new paperless.
Project Manager Andrius Ramanauskas describes his experience with Odyssey VC so far, from the early stages to the day-to-day and looking forward to the future.
you were looking for from your application to Odyssey?
After I moved to Ireland from Lithuania, I
was looking to progress my career in Project Management. I completed both the
PRINCE2 and PMP project management qualifications to formalise my experience
and approach to project management. I was essentially starting from scratch and
wanted to work somewhere where I could take my newly acquired knowledge of the
formal project management processes and build on it. Odyssey VC seemed like a
very good place to begin that process. Working in the highly regulated environment
of pharmaceuticals has been the best proving ground for me.
was your first experience at Odyssey?
Odyssey VC was in the very early stages
when I joined the company and it was fascinating to see the growth of an
organisation. To join at that time was, and still is, very exciting; the
ambition at the company is huge and you really do feel part of the bigger
One of the initial and most important
learnings for me has been the understanding of compliance and regulatory requirements
within the industry. Coming from a general IT PM background, the step into
compliance was a huge change. The regulatory requirements, which are as much a
part of our experience as they are for our customers, is a big eye-opener. In
my previous involvement with software development projects, there wasn’t a
strong emphasis on documented control of design, test and release. Within the
Life Sciences industry, the project management steps – especially around the
control of change during the design process – have to be controlled and stand
up to scrutiny from a regulatory audit perspective to ensure absolute
training did you receive?
When starting with OdysseyVC there is an
intensive induction programme that gives all new joiners a deep insight into
the validation requirements to meet compliance standards in our industry. This
is hugely beneficial and gives context to the activity we are working on. I
have since trained in topics such as Quality Management Systems and
Computerised System Validation.
is a typical day like for you?
As a Project Manager you wear many hats! I
am currently heavily involved in a significant project for one of our clients,
which will impact their sites globally.
The Project Management Team has expanded
recently and so there is now an element of mentoring that forms part of my role.
This is to help the team understand the business objectives and define and
build the formal process for project management within the company for internal
and external projects. I am in regular contact with our global clients, both
remotely and through site visits.
do you appreciate the most about working at Odyssey?
The challenge! It is a fast-paced
environment and completely engaging but I wouldn’t describe it as stressful –
we do our best to take the stress out of situations by planning. We take a very
pragmatic approach to problem-solving and designing solutions. There is huge
opportunity within the company to get exposure to all elements of the business
and to evolve and grow, personally and professionally.
do you hope to achieve in the future?
I would like to see my career continue on
the trajectory that it has taken so far. I am very interested in different
project methodologies and their application for specific projects; there is no
one best way. I hope to achieve certification in Agile Project Management, which
I believe will deepen this understanding.
How do we keep up with a speeding car that’s only getting faster? QA and Compliance Specialist Nicola Brady gives an outsider’s perspective on trying to adapt to the ever-changing technologies and tools at our disposal in the life sciences sector.
naturally tech savvy. I’ll be the first to
admit that I call the IT help desk whenever I encounter any issue with my
computer – after I try to turn it off and on again, of course – so you’d hardly
believe that I studied some computer science elements as part of my
undergraduate degree in science. I cast
my mind back now to those classes on C+ programming, SQL and database design,
biomedical imaging and emerging technologies, and I remember thinking “how is
this science?”. Now, the question is “how
wrong was I?”
information technology do not exist independently of each other. Look at the
life science industry, for example; how would drug product development or drug
product manufacturing be possible without the symbiosis of science and
information technology? In fact, life science companies these days are
investing more time, resources and effort than ever before in implementing and
maintaining Information technologies to deliver safe, efficacious and
affordable products to patients. The
information technologies and tools that I encountered during my studies may
even be redundant now (I am not going to share how long ago that was!), as those
technologies and tools are evolving so quickly that it is often difficult for
organisations to keep pace. Should I have paid more attention? Perhaps,
although I could argue that I know what I know, and I certainly know what I
course of my career in various Quality Control, Quality Assurance and
Compliance roles in the life sciences sector, I have interacted as an end user
with my fair share of information technologies and tools. I have supported
validation and qualification activities, facilitated risk assessments, conducted
investigations and audited the associated processes for these same technologies
and tools. But these roles did not require me to be a software developer, or a programmer,
or a system builder. There are many more skilled people suitable for performing
these types of technical tasks. No, my role is about looking at these
information technologies and tools relative to their intended use and application,
asking the tough questions like, for example, how will we meet the regulatory
requirements? How can we qualify or validate the technology for its intended
use? How can we assure data integrity? What do we need to implement to monitor
So, while I
will try my best to embrace the new information technologies and tools as they
emerge – tools including cloud computing, data
analytics, blockchain, IOT (Internet of Things) devices and even AI (Artificial
Intelligence) – I will most definitely
stay on top of the changing regulatory landscape pertaining to their use in the
life science industry.
Quality Assurance Specialist with Compliant Cloud Nicola Brady dives into the nitty gritty of Validated SaaS, including what it involves, the elements of vendor evaluation, and the responsibilities associated with validation.
Software as a Service (SaaS) is a software deployment model where a vendor hosts a software application and makes it available over the Internet. SaaS has become an essential distributed software deployment model for providers, and its acceptance has grown exponentially across organisations of all sizes and types. Interestingly, new vendors, in any application market, tend to have SaaS as their only delivery model and that very fact presents a significant challenge to regulated Life Science companies in particular, who are traditionally very conservative in adopting new approaches and tend to retain many on-premise applications.
That said, Life Science companies are moving gradually and cautiously towards SaaS applications in an effort to reduce the costs associated with on-site software development and deployment models. In addition to this, considering many new software applications are SaaS-only models, the Life Science sector will need to quickly develop the regulatory knowledge and IT / Compliance skills to successfully utilise these new SaaS offerings in a “validated” and “compliant” way.While the regulated company is ultimately responsible for the validation of the SaaS to confirm fitness for intended use and the maintenance of its overall compliance, choosing the right SaaS vendor can go a long way towards lessening the validation burden.
The SaaS software deployment model makes the software available to all subscribers i.e. those that have agreed to consume the service from the vendor. The application software is owned, delivered and managed by one or more providers. A SaaS subscriber is exposed only to the application and its configuration and does not monitor, manage or control the underlying infrastructure (including network, servers, operating systems, storage, databases or application platform services) or software updates. This is a very critical point when we consider that Life Science companies must ensure that; ’The application should bevalidated; IT infrastructure should be qualified. ‘(EU GMP Annex 11)
The SaaS validation effort
For a standard software validation exercise the client has sole responsibility for the Software Development Lifecycle (SDLC) and all the activities therein. For the validation of a SaaS application, a significant reduction in effort can be achieved through moving some of the validation activities to the vendor and leveraging vendor documentation. GAMP 5 states ‘maximize supplier involvement through the system lifecycle in order to leverage knowledge, experience and documentation subject to a satisfactory supplier assessment’ and ‘avoid wasted effort and duplication’ (GAMP 5)
The relative reduction in the validation activities required, by the client/subscriber, to deliver a SaaS is heavily dependent on the quality of processes, documentation and controls in place at the SaaS vendor. Remember that it is a regulatory requirement that the software is validated, and the infrastructure is qualified. Choosing to consume a SaaS software offering does not remove this regulation. Selecting the right SaaS vendor is key and any potential SaaS provider should be evaluated to confirm that their systems, processes and validation methodology are in alignment with the regulated company’s (client / subscriber) expectations.
The regulations stipulate that a vendor audit or assessment be performed regardless of the degree or scope of activities that the SaaS vendor will perform. This vendor evaluation is even more critical when a client / subscriber is looking to leverage the vendor activities to meet their validation requirements. The vendor evaluation should consider the following elements:
Software Development Lifecycle (SDLC) methodology & documentation
Project Management Processes
Personnel Qualifications (QA, Technical)
Documentation Standards & Procedures
Methods for Review & Approval
Clear separation of Development, Test and Production Environments
Change management processes
Corrective and preventive action processes
Service Delivery Processes (Maintenance, Support)
Physical and logical security controls for system / data
21 CFR part 11 compliance as applicable
Based on the data from the vendor audit or documentation evaluation, the regulated client/subscriber can then perform a risk assessment to document and determine the extent to which the vendor documentation can be leveraged to support the overall validation exercise for the SaaS. The qualification of the host infrastructure must also be considered. Table 1 below highlights the responsibilities associated with the validation exercise:
Table 1: Typical Responsibilities for Validation of SaaS
The contract with the SaaS provider
Under European Regulations, EudraLex Chapter 7, there are also very specific regulations concerning outsourced activities-which SaaS is considered- and adherence to these regulations must be provided in evidence in the event of a regulatory inspector requesting this information.It is never sufficient in these circumstances to state that “the vendor looks after that”.
Documenting the agreement or contract with the SaaS vendor is as, if not more, important than the validation exercise. The contract should contain the following details at a minimum:
Ability of SaaS vendor to carry out the outsourced activity satisfactorily
Restriction on sub-contracting to third
Restriction on unauthorised changes
Availability of the SaaS vendor for regulatory inspection
Remember, the SaaS vendor is not a regulated entity so the ultimate responsibility and accountability for the SaaS lies with the regulated client / subscriber. While the responsibilities, communication processes and technical aspects of the contract are key, the regulated client / subscriber’s quality system must be set up for control and review of the outsourced activities associated with the SaaS. Only then can the potential risks associated with outsourcing software deployment to a SaaS vendor be mitigated.
Adam Lawler answers the big questions about one of the life science industry’s core tenets.
The life sciences industry would be nothing without regulatory consistency and control, and one of the most significant forces governing the manufacture of pharmaceuticals is 21 CFR Part 11. The question is, what is it exactly? For such an important regulation it seems to be constantly shrouded in mystery and more than a fair share of confusion, and in this article we hope to answer the big questions about one of the industry’s core tenets.
In short, 21 CFR Part 11 is a section of the Code of Federal Regulations (CFR) which outlines the Food and Drug Administration’s (FDA) code pertaining to electronic signatures and electronic records. What does this mean? Basically, it amounts to accountability, traceability, and transparency. 21 CFR Part 11 clearly lays out the checklist for accurate electronic records and signatures, with the express intention of making sure that companies adhere to good practices when it comes to electronic data logging and maintenance, guaranteeing accuracy, mitigating potential cases of human error, and ensuring that any alterations made to an electronic document can be traced.
What counts as an electronic record? A simpler question would be what doesn’t; the definition is broad, encompassing everything from words to sound. More specifically, Part 11 defines an electronic record as “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” Traditional analogue methods of record-keeping are not exempt, as paper documents, when scanned into a computer, also fit under 21 CFR part 11 as soon as they are digitised.
Where did this law come from? The law originated from meetings between the FDA and pharmaceutical companies regarding how to deal with record-keeping when entering the hitherto nebulous electronic sphere. Eventually, after much refinement, 21 CFR Part 11 emerged as the proffered solution in its core version in 1997. The most significant alteration made to the law since then was in 2000, when the FDA acknowledged further-developing digitisation by officially stating the equivalence of paper records and electronic records, as well as of electronic signatures and traditional ink signatures. It should also be noted that there is a European equivalent to 21 CFR Part 11 called Annex 11, and, while extensive similarities exist, the requirements of the two do not entirely correspond, something we will explore at length in a later article.
Considering the unwieldy and outmoded nature of paper record-keeping and the ever-shifting electronic landscape, such a law could always stand to be further amended. Over the years, 21 CFR Part 11 has been supplemented by guidance documents relating to data integrity and data management practices from various bodies – including PIC/S, MHRA and WHO, as well as the FDA themselves who issued a draft guidance ‘Data Integrity & Compliance with CGMP’ in April 2016 – but as it stands, 21 CFR Part 11 is one of the longest standing and most influential laws in the life sciences industry pertaining to electronic data.
In a world without 21 CFR Part 11, the impact of human error would be much more significant, and the electronic landscape would remain an untameable beast with no guarantee of accountability or traceability. With it, navigating the overwhelming breadth of the digital realm is that much easier, the outcomes more accurate, and technology becomes just another tool in the belt of regulated record-keeping.
O’ Leary tells us about his role with Odyssey VC and Compliant Cloud, speaking
about how he got into the role, his experience so far, and hopes for the
future. Compliant Cloud is a company formed by a group of engineers,
consultants, designers, and quality people who have come from the Life Science
sector and regulated sectors.
us how you got into the role of IT Compliance Specialist at OdysseyVC!
I started working in IT Compliance in my
previous job and wanted to dig a little deeper into the Compliance side of
things as it really interested me. About a year ago I noticed that Odyssey VC
were advertising a role. I applied for it and the rest is history. Having a
compliance / validation company 35 minutes from my house with the exact role
that I wanted was a great find!
After starting with OdysseyVC, I
immediately completed training in industry-relevant areas such as GxP
Application Life Cycle Management, Computerised Systems Validation and GDP
(Good Documentation Practices), all of which have been essential in the role
that I work in.
would you describe your experience of the company so far?
My first impressions and experience of the
company so far have been that they are very knowledgeable people. Understanding,
accommodating and extremely welcoming – they are very enthusiastic about
growing the business! I really appreciate how well we all work together as a team;
everyone is willing to help out, even if it’s not their level of expertise, to
find a way forward.
There is no such thing as a typical day but
each day I spend time working through the tasks that I have assigned myself to
work through, project tasks that support CompliantCloud.com. This involves creating
and reviewing of qualified documentation packs to support the qualification
process, which is a key element of CompliantCloud.com.
On top of that I am also a technical
liaison for any of the Odyssey VC staff who require IT or Compliance guidance. This
could be to assist with internal or on-going client projects.
would you like to go on to achieve at the company?
Having recently assisted other colleagues
on various client projects and tasks I am now looking to understand more about
GxP systems in real world Life Sciences and Pharmaceuticals Industry and work
more directly with our clients to support their projects.
One of the challenges faced by traditionally conservative regulated industry is how to incorporate new innovations into existing regularly frameworks.While traditional IT companies and service providers may not be equipped to alleviate the concerns of Big Pharma’s transition into the cloud, emerging companies like Compliant Cloud are stepping up to the mark to seamlessly take care of the process while complying with the regulations.
The amount of information being handled by industry is exploding – data volume continues to grow. Likewise, the need for computing power continues to grow, raising the amount of resources IT has to manage. Industries are always looking for better, cheaper, and faster solutions. It has become practice to outsource to specialised firms who can provide IT solutions more efficiently. Cloud providers offer extremely fast and flexible solution delivery, on-demand scalability and Business continuity solutions. They also allow easy solutions for backup and archive. All of these benefits, and more, are available for a considerably lower cost than traditional in-house computing solutions.
Compliant Cloud is a new innovative cloud computing qualified infrastructure that allows companies to be compliant in highly regulated environments.