Achieving compliance using modern software tools

Companies working in life sciences manufacture pharmaceutical products or medical devices that are subject to a series of legal requirements, some of which are particularly onerous (GAMP, 21 CFR etc). These not only have an impact on the processes to be supported by the application system and the required functionality, but they also affect implementation and system operation. HSO engages with software validation experts, DHC Consulting when working with these organisations to ensure that the highest quality processes are set up and maintained.

We recently met with Stefan Staub, a Partner with DHC Consulting. DHC has been established for approximately 25 years, and specialises in working alongside pharmaceutical, life sciences and medical device manufacturing companies to help them obtain system validation and compliance. These industries tend to be heavily regulated, so DHC is often called in by HSO to provide IT infrastructure qualification, data integrity and electronic records and electronic signature assessments and implementation.

So, Stefan,  what happens if an organisation finds themselves to be non-compliant?

“If your systems or processes they support are not safe, it could lead to incorrect product compositions. This will have an impact on product quality, but eventually it could even lead to the death of patients. You can easily imagine what the impact would be if a company received that news. It’s not only a struggle with regulatory bodies, but also litigation and loss of brand. It could land you in serious trouble.”

Different countries have different regulations. For an organisation like DHC, does these present problems in terms of having a consistent approach to ensure companies are compliant with the validation process of the countries that they’re operating in?

“Yes, you’re absolutely right. Regulations are different from country to country, but these are mainly governmental organisations, and they aim to make sure that medicines and medical devices are effective and safe to use. So the objectives behind those requirements are always safe. Country regulations often stipulate those computerised systems must be validated. That’s where DHC come in as we ensure that our client’s software and their computerised systems are being implemented, validated and then maintained in that validated state throughout the system lifecycle.”

Why would an organisation want to work with DHC? Can they not handle the process themselves?

“DHC has been working with so many different clients over the years, we now have the knowledge and experience to locate the appropriate frameworks and to tailor them to a specific company’s needs efficiently. This provides the assurance to them that they have everything covered.”

What are the typical steps involved?

“I think it’s important to note that not all computer systems need to be validated or become compliant. For instance, if a system is for finance, it may have an impact on the health of the management team, but certainly not on the customers. However, if a computer system manufactures products that will potentially have an impact on quality and patient safety, then validation will be required. Also, each country has their own different set of regulations.

“DHC provides the appropriate framework and tools for the company so that everything is in place to work with. The first step is to carry out an assessment and build a foundation to work from, not forgetting to ensure any gaps are filled in.

“You need to prove that the system is consistently doing what it’s supposed to do, and the documentational evidence proves that it does it reliably – that’s what validation is all about.”

So, if you’re buying products or ingredients or formulations, and manufacturing a product, that’s where the quality side comes into play. Are these areas that would need to be validated?

“Absolutely yes. Once you know that the system falls under that regulation, you need to further break it down. For instance, if you are reviewing an ERP system, it falls into finance and distribution, you might also have manufacturing, planning and execution and so on. So you need to start to define your requirements and write functional specifications of how these requirements were implemented. Then you need to carry out stringent testing to prove that the system is consistently doing what it is supposed to be doing and supply documentation providing the evidence that it carries this out reliably.”

With your experience, how have you found the Microsoft Dynamics 365 platform? Is there anything that would give concern or a benefit in terms of how successfully the solution can be validated and certified?

“All business application systems on the market today can be validated, so always choose the one that best fits your business requirements first. For some players in the industry, Microsoft Dynamics 365 is indeed their chosen system of choice, and DHC has successfully validated it a number of times.”

Are there any specific tools within the Microsoft solution that were an aid to producing documentation?

“The Task Recorder facility in Dynamics 365 allows you to define your SOPs in a video format that can be played back. Traditionally, most of the validation process involved printing off paper and signing it, but nowadays, especially with the latest GAMP guide, enabling innovation to assist in the validation process is key. It’s the motivation that the industry should be applying as you can now record tests and use this as evidence. You should double check that your country regulations allow this type of evidence.

“I encourage companies to start using the modern innovative tools available to them in their ERP systems, as this will speed up the process, reduce errors and establish firm traceability rather than use old methods i.e. spreadsheets and manual processes.”

Has the move to the cloud made any difference to the way you’re having to validate solutions?

“All major ERP providers have now got a cloud ERP offering. When you’re selecting a cloud-based ERP system, you must make a very conscious decision and look to your provider to check closely if you can rely on their documentation. If you make a bad choice, you’ll get locked in.

“I really must emphasise the importance of selecting the right software vendor and the best IT service provider.”

Many organisations are now taking features based on “minimum viable product (MVP)”. Solutions are no longer being implemented in a big bang approach. Companies now tend to evolve a solution over time and add new features as and when they require them. What impact in terms of maintaining your validation does this have?

“Yes, this is something that we are very aware of at DHC and it’s becoming a challenge for companies to continually ensure that their software is safe.  Our validation processes enables this speed of change.

“There is also more reliance on software providers like Microsoft today, in terms of critical security and documentation going forwards with software in the cloud.”

What are the other benefits that a company might gain by engaging with an organisation like DHC?

“I think that it’s about knowing you have a robust framework, which helps you to reduce errors in projects, and knowing that the process and the outcome is going to be reliable, of good quality and trustworthy. The documentation also enables knowledge sharing amongst staff, so that you can remove dependence that you may have on a particular service provider or a certain member of staff.

“Many organisations leave themselves open to risk with old computer systems and less and less staff having the expert knowledge of how to use them well. If that person leaves the company, you have lost that knowledge. With a computerised system validation process, you have the sound methodology in place to ensure knowledge transfer, become more stable and you increase the knowledge of your processes in general.”

What is the effort that a company can expect to go through to achieve validation?  

“If you have a proper, quality approach to your system implementation, like gathering requirements, a good IT practice, and so on, then achieving system validation should be no big effort. I think the biggest differentiator to good IT practice is actually that you have control over the release management . You need to have the history in place.”

Finally, are there any trends that you are seeing that you think are going to change the nature of how validation is achieved in say, the next five years?

“Yes, as manufacturing ERP business systems play a big part in the industry today, we are always seeing a constant evolution, technologies change, methods change and so on. Today’s modern software tools remove much of the traditional burden on achieving validation, reducing the time needed for change control.

“The future of validation is even more streamlined. That’s because self-validating software is now a possibility. The cloud is the norm instead of the exception, which means more frequent releases, and companies will be able to automatically validate with no involvement from the user.

“Using a more risk-based approach, companies will be able to focus validation on the areas of greatest risk to the business and stay current with the latest software tools.”

More information

For more information about certification and validation of your Microsoft Dynamics 365 Manufacturing ERP software system, contact HSO.