Taking off from my previous post on how compliance ensures data reliability, and helps assure computer systems that touch the drug lifecycle, this post focuses on integration of compliance with the software lifecycle.
When compared with traditional quality processes, QA for pharma is an independent business unit, with distinct reporting lines, and a much broader perspective that encompasses all aspects of IT quality. Answerable to regulatory authorities, it strives to ensure compliance with defined quality standards. As such, software lifecycle quality includes Standard Operating Procedures (SOPs), Deviation Management, Corrective and Preventive Action (CAPA), Computer Systems Validation (CSV), Audits, Training, and Quality Control. Some aspects of quality control rest with project teams, in a well-defined SOP framework.
Many pharma organizations prefer a cautious approach to avoid ending up, inadvertently, on the wrong side of regulation. While its good to be safe than sorry, being over-cautious sometimes also inculcates a culture prohibitive to new technology adoption. This is where the problem lies.
Lets understand by analyzing another industry. For instance, it is easier for retail to advance into the realms of Continuous Integration & ContinuousDelivery (CICD). Even the compliance-intensive Banking and Insurance industry sectors have adopted DevOps and Agile, to significantly reduce cycle time.
However, given the direct impact pharma has on human life, in addition to compliance issues and regulations, theres a plethora of process evidence, and activity documentation that must be preserved. Test scripts must be archived and stored, electronic signatures must be maintained, audit trails must be analyzed, test evidence must be captured and stored at all validation points, functionality must be traceable, processes must be well documented, reviews supported with artifacts, tools validated, access controlled the list goes on.
Imagine complying with all regulatory requirements in a paper-based, manual environment. Sounds baffling, right? Thanks to the FDAs electronic records and signatures regulation, pharma companies have moved from paper-based environment to electronic validation. But in some organizations, the journey has been very long and slow. This reinforces my standpoint that compliance enforcement in pharma has, at some point in time, transitioned from taking a cautious approach to satisfy regulation, to being almost prohibitive to technology adoption.
I will try to simplify this. Lets take the case of test automation: adoption of test automation is widely driven by a business case or RoI based on the ability to shorten the test cycle (mostly regression). In pharma, there is an additional factor to consider compliance. The questions to answer are plenty. If we create test scripts from test cases, where are these stored? How do we ensure electronic signatures and audit trial are maintained? How is test evidence at the validation points captured? How is traceability maintained? And so on.
In sharp contrast, in pharmas non-regulatory systems and environment, the situation is optimistic. There are good automation examples, such as ERP systems for manufacturing, supply chain and distribution, corporate systems, and sales and marketing.
Can pharma companies afford to ignore these technology trends? Certainly not. What can be done?
I am sharing a quick QA guide to ensure standards compliance by all stakeholders internal and external, including supplier organizations and outsourcing partners.
- As mandated by regulations, suppliers and outsourcing partners must face regular supplier audits. The audit must focus on aspects such as training plans and records, quality procedures, testing practices, deviation, CAPA, access and security controls, Business Continuity Planning (BCP) and Disaster Recovery (DR), and background checks.
- While examining evidence for QC execution, auditors must specifically check for test process handbooks, testing practices and techniques, test case authoring processes, testing and documentation standards, testing tools usage, requirements traceability, risk based approach for test coverage, version control for deliverables, audit trails, artifacts documentation, and the right mix of testing team roles.
Pharma QA units are beginning to realize how their (over) cautious approach might be stifling IT teams. In a facilitative role, QA must act as change catalyst, and help pharma adopt the digital wave. In my next post, we will explore the what, why, how, who, when and where of this change.