Your team needs a thorough understanding of how your selected software will be validated, and this topic should be a critical part of your eQMS evaluation. In particular, it's important to understand what your vendor/ partner will bring to the table. Below is a primer on managing the initial qualification/validation process for your new eQMS.
These items will be raised directly/ indirectly as you are inspected, especially if you are in or near a commercial stage. So make sure to get these in place with your chosen vendor.
GAMP 5 drives the life sciences space and is consistent with ISO and other key standards. This should be the methodology underlying your validation efforts. You can find a good reference here or review the webinar by Melita Ball @ MBCA Consulting regarding validation. Other standards/regulations that you are subject to, such as 21 CFR p.11/ Annex 11, CLIA/CAP, etc. are also relevant and can/should be incorporated into your qualification as appropriate.
GAMP 5 provides a risk-based approach to validation, and two core areas of focus will be:
Let’s just say this out loud together-- your eQMS will hold critical documents accompanied by electronic signatures and should be deemed critical/ higher risk for companies from preclinical to commercial stages. It's just not an option to ignore validation altogether. But the framework does allow your stage and type of software to dictate how difficult this will be.
The quote above is from an FDA auditor with +20 years field experience and who also advised on the agency’s cloud computing activities. And it sounds simple, doesn't it? Let’s unpack this.
The “fit for purpose” bit is an essential term of art-- it presupposes that you have:
Whether this stuff takes the form of a simple memo or a full URS, Quality Audit, UAT, etc. is really a secondary point driven by your quality SOPs, stage, risk assessment, etc. But showing the inspectors nothing is more likely to cause you a problems than showing them something them something they can review.
The second part is a little easier to follow. If you have critical vendors/contractors, you should have a documented SOP governing how you qualify, audit and manage them. You may also have an additional SOP governing computer systems validation. You should expect to be asked:
Did you follow your own SOPs?
Where’s the audit and risk assessment?
Is your qualification based on your risk assessment?
Can you explain/ defend it easily?
Whether you are creating your own software tools from scratch or heavily customizing from an existing core, your software validation will be a bit heavier by default. You are basically in the regulated software business, and auditors will hold your efforts to the same high standards they would a stand-alone software developer deployment. Your vendor partner or consultants can/ should make sure to deliver some or all of these documents as part of a release, but remember this process also governs any changes you want to make in the future-- meaning you will have to update your validation with any changes. Let’s be honest here-- this is onerous, and a core reason why so many custom deployments languish without updates for years at a time.
Delivering the software will require the following:
SaaS platforms should already have in place the core validation ready for review. That means the software/ infrastructure has been developed in accordance with all relevant standards within a defined quality manual, including detailed Software Development Life Cycle, and is attended by a full suite of validation documentation made available to your team on demand (User Requirements, Functional Requirements, Traceability Matrices, OQ/PQ/IQ, etc.).
Coupling this with the quote from the FDA auditor above means you need a memo or qualification document that:
While many of our clients are experienced, we want our process and approach to be simple for anyone to follow. We start by sharing a checklist to guide your supplier qualification audit as well as your review of all quality and validation documents.
We provide a templated URS you can customize for your own purpose. We also provide a UAT that covers all the main journeys through the application-- this is not meant to be exhaustive, but is an ideal way showing the technology is fit for intended use in your organization.
ZenQMS also provides a downloadable p.11/Annex 11 checklist, that can also be included in your internal documentation.
The kicker here-- we don't charge for these items or our guidance support in the process. It is all part of our single fixed implementation fee.