Showing posts with label Compliance. Show all posts
Showing posts with label Compliance. Show all posts

Friday, July 30, 2021

GDPR Compliance


GDPR compliance is being enforced. The GDPR has already garnered international attention, with similar legislation in the works in countries like China, Japan, India, Brazil, and New Zealand. Attention around the GDPR has been mounting in US. Beyond the United States and the other countries already mentioned, most experts predict that an even wider rollout of consumer data protections is inevitable.

Since GDPR took effect, Google was fined nearly $57 million for processing personal data for advertising purposes without obtaining the required consumer permissions. Google also failed to adequately inform consumers about how their data would be used, nor did it provide enough information about its data consent policies.

The GDPR requires companies doing business in EU member countries to get consumers' consent via an explicit opt-in process before collecting and sharing information about them; to provide a way for consumers to correct, update, and delete the data that companies hold about them; to fully disclose what information is being collected and how it will be used; and to properly notify all parties involved when there is a data breach.

Most companies are certainly pushing to improve their processes by updating older software solutions and processes where parts of their responsibilities are clear, and others are still in a murky world of gray and uncertainty. Many companies are still looking at their obligations under the legislation, trying to determine what is applicable to them and their portions of processing an individual's data.

In a recent survey from the International Association of Privacy Professionals, less than half of respondents said they were fully compliant with the GDPR, and nearly a fifth said they believed full compliance with the GDPR would be impossible.

One of the biggest shortfalls for businesses right now concerns the GDPR provisions requiring a full accounting of all the information organizations hold on consumers upon request within one month.

Companies should simply assume that all aspects of the GDPR apply to them.

Experts and insiders concede that the GDPR has been successful in one key area: Consumers now have more of an interest in what happens with their personal information. GDPR has made it simple for consumers to understand the important details about their data, such as how it is being used, where it is being stored, etc. Because of the GDPR, consumers are asking more questions and reading companies' privacy policies more closely. And that will ultimately lead to greater accountability.

The GDPR has also changed the entire dialogue between companies and customers.

Whether it was a stated goal of the GDPR or an unforeseen consequence, companies are beginning to self-regulate, knowing that regardless of the form, there is increased need to give consumers greater transparency and control over their data.

Because of the penalties and other negative ramifications of ignoring GDPR, companies have to take GDPR seriously with internal programs to organize their data better. Companies need to provide transparency about the data they capture, as well as a mechanism for consumers to choose which information can be captured and how it can be used.

For companies that have come into compliance, the GDPR has resulted in finely tuned databases and distribution lists, and streamlining email communication has made outreach more impactful with higher-than-before engagement rates.

If GDPR compliance is done right, companies will have the ability to create a master record of customer data on one platform.

That master record could contain all of the customer's allowed permissions, revoked permissions, or any changed notification settings, as well as a unified customer profile that combines details about their behaviors, interests, preferences, purchases, and other information from any engagement system or data source.

GDPR continues to require an investment of time and resources, but it is a worthwhile investment.

When all aspects of the GDPR are carried out fully, companies are able to deepen relationships and profitably grow revenue, consumers are able to gain transparency and control over their data, and regulators are able to safeguard commerce and consumer rights.

Galaxy Consulting has over 15 years in helping companies to achieve compliance in different areas, and since GDPR was released, we are helping companies to achieve compliance with GDPR. Please contact us for a free consultation.

Saturday, March 28, 2020

Purpose of Document Control and its Role in Quality Assurance

GxP/GMP, GDocP, ISO 9000 and documentation

GxP stands for "Good Practice" which is quality guidelines and regulations. The "x" stands for the various fields, for example Good Documentation Practice or GDocP, Good Financial Practice or GFP and so on. There are many instances of these regulations. One instance of GxP is Good Manufacturing practice or GMP.

GMP describes required Quality Management System (QMS) for manufacturing, testing, and quality assurance in order to ensure that products are safe, pure, and effective. GMP has ultimate goal to enable companies to minimize or eliminate contamination and errors which protects consumers from purchasing a product which is not effective or even dangerous. GMP regulations are required to be used in regulated industries such as food and beverages, pharmaceutical, medical devices, and cosmetics.

GMP documentation requirements are aligned with Good Documentation Practice (GDocP). GDocP is the standard in the regulated industries by which documents are created and maintained. It is the systematic set of procedures of preparation, reviewing, approving, issuing, recording, storing, and archiving documents.

The ISO 9000 is a set of standards which deals with fundamentals of Quality Management System (QMS) that helps organizations to ensure that they meet customers’ needs within statutory and regulatory requirements related to a product or service. ISO 9001 deals with the requirements that organizations wishing to meet the standard must fulfil.

GxP/GMP, GDocP, ISO 9000 are about QMS where an organization needs to demonstrate its ability to consistently provide a product that meets customer and applicable statutory and regulatory requirements.

Documentation is the key to compliance with these regulations and ensures traceability of all development, manufacturing, and testing activities. Documentation provides the route for auditors to assess the overall quality of operations within a company and the final product. GMP, GDocP, and ISO 9000 are enforced by regulatory agencies. Auditors pay particular attention to documentation to make sure that it complies with these regulations.

Therefore, in order for an organization to meet these requirements, it must have documentation procedures in place. Documentation is a critical tool for ensuring this compliance.

Purpose of document control and its role in Quality Assurance (QA)

The primary purpose of document control is to ensure that only current documents and not documents that have been superseded are used to perform work and that obsolete versions are removed. Document control also ensures that current documents are approved by the competent and responsible for the specific job people and documents are distributed to the places where they are used.

Document control is an essential preventive measure ensuring that only approved, current documents are used throughout an organization. Inadvertent use of out-of-date documents or not approved documents can have significant negative consequences on quality, costs, customer satisfaction, and can even cause death.

The role of QA, in regards to the document control system is one of management and overview.

QA ensures that all documents are maintained in a controlled fashion and that all controlled documents are approved by the appropriate subject matter experts, are consistent with other documents, and are the most current version.

One way that QA ensures this is by being the last signature on all approved documents. All documents - current, obsolete, superseded, as well as all the history on the creation and revision of the document should be kept in Quality Assurance.

Tuesday, February 24, 2015

508 Compliance and Content Management

Section 508 compliance seems tricky and confusing, but its implementation on content management systems is vital for many organizations. According to the United States Census Bureau, about one in five Americans are impaired with some sort of disability. That is a rather large number of people that you do not want to ignore.

All federal and state agencies of the U.S. government are required to meet section 508 standards for accessibility. This law was established in 1998 to require that all technology used by the federal government to be accessible to those with disabilities. This includes those with visual, audible, physical or cognitive impairment.

Assistive Technology

Those with disabilities often use assistive technology. This would include things like screen readers for the visually impaired user. Jaws and Microsoft Narrator are a couple of popular software titles that are used for these purposes.

The Standards of 508 Section

There were 16 standards developed to make information and technology accessible to users with disabilities. These standards are the core requirements to making your content section 508 compliant with the federal government. There is no one automated solution that will magically make your site compliant, unfortunately.

These days, it is still a mix of manual and automated processes that drive a site’s compliance. Below are the 16 standards. Sites must be accessible by keyboard only (without a mouse). All screens should be readable by screen readers that can also display alt tags and descriptions of images. Closed captioning should be available (or transcripts of audio/video). Online forms should be able to completed using assistive technology (or only the keyboard).

Good Tips for Usability

Good technology applies great user experience, user interaction and design principles. This is often referred to as UX/UI in the creative and IT industries. The two terms evolved from the guidance involved in usability principles, an area of expertise that has grown over several decades.

Good usability means the user is able to quickly perform a task with little to no difficulty. This often involves employing sensible and logical navigation, understandable required action items, well defined terms, clean design and smooth workflows. There are other options to consider that vary from project to project, but these are the most basic caveats to understand when dealing with usability as it pertains to section 508 compliance.

Software and Technology Function Essentials for Section 508

The software and technology fundamentals here are designed to make computing life a bit easier for those with a disability. Your CMS should follow these guidelines and tips. Remember that all things should be executable from the computer keyboard, without a mouse. Some people can’t use a mouse. This should include shortcuts, object/image manipulation and dropdown list operation to name a few on the computer keyboard side. StickyKeys, FilterKeys, MouseKeys and High Contrast are some useful functions for this.

Your organization should also maintain a well-defined on-screen solution for focusing. An indicator that moves with the other interface elements is the preferred method for your CMS. Assistive technology should help with focus controls.

Web browsing comes natural to most of us that can use all five senses, but someone with impairment will have trouble. That is why it is important to have sufficient information about the user interface, such as identity, operation and state of the elements, available to the assistive technology. An image that represents a program element (icons) should also display text to define that process. Meaning should also be consistent with icons or bitmap images that are used to define elements of an application.

Textual information should be provided through the operating system’s (OS) functionality for text display. Text content, text input caret location and text attributes are the minimum textual information that should be displayed in the CMS.

Display options also need to be tweaked for this with vision impairment. For example, applications should never override a user’s selected contrast levels or color selections on the screen. Display functions should accommodate those with a disability. When there is animation, it should also be available to users as non-animated content or information. The user should also be able to choose the presentation mode of this content prior to viewing or consuming it.

Organization is also key for some. For instance, for section 508 compliance in the CMS, it is important to label items clearly so they may be easily understood. Color coding or highlighting items should not be the sole way to handle the process of conveying information, indicating an action, prompting a response or distinguishing a visual element. A large range of color and contrast items also helps users stay organized with large loads of information that may need to be categorized and organized in a certain fashion within folders, directories, etc.

There are also some key elements to avoid. One good example is blinking or flashing elements. Not only can they be annoying and distracting, but they can also be problematic for the end user. The frequency should be somewhere between 2 Hz and 55 Hz.

Assistive technology should also be available to users who are filling out digital forms. It should be able to assist with accessing information, modifying information and submitting information.

Contextual information is also very important. Users with all five senses may take certain elements for granted, but these items should be accessible to those with disabilities too. Items in color should also be available without it, like markup or context clues for the user. Documents should be readable without a style sheet. Redundant text links should be there for each active region of a server-side image map (replacement of image elements with text elements). Table data should be clearly defined, including row or column headers. Even frames should be clearly defined as an element.

There are many other standards and compliance rules of thumb to follow. It is best to consult with an expert on maintaining section 508 compliance.

Thursday, March 13, 2014

Compliance With Privacy Regulations

Recently, high-profile cases involving breaches of privacy revealed the ongoing need to ensure that personal information is properly protected. The issue is multidimensional, involving regulations, corporate policies, reputation concerns, and technology development.

Organizations often have an uneasy truce with privacy regulations, viewing them as an obstacle to the free use of information that might help the organization in some way.

But like many compliance and governance issues, managing privacy will offer benefits, protecting organizations from breaches that violate laws and damage an organization's reputation. Sometimes the biggest risks in privacy compliance arise from the failure to take some basic steps. A holistic view is beneficial.

Privacy Compliance Components

Rather than being in conflict with the business objectives, privacy should be fully integrated with it. Privacy management should be part of knowledge management program.

An effective privacy management program has three major components: establish clear policies and procedures, follow procedures to make sure that organization's operation is in compliance with those policies, and provide an oversight to ensure accountability. Example of questions to consider: is data being shared with third parties, why the information is being collected, and what is being done with it.

Expertise about privacy compliance varies widely across industries, corresponding to some degree with the size of an organization. Although large companies are far from immune to privacy violations, they might at least be aware and knowledgeable about the issue.

The biggest mistake that organizations make in handling privacy is to collect data without a clear purpose. You should know not just how you are protecting personal information but also why you are collecting it. It is important for organizations to identify and properly classify all their data.

International Considerations

Increasingly, organizations must consider the different regulations that apply in countries throughout the world, as well as the fact that the regulations are changing. For example, on March 12, 2014, the Australian Privacy Principles (APPs) will replace the existing National Privacy Principles and Information Privacy Principles.

The new principles will apply to all organizations, whether public or private, and contain a variety of requirements including open and transparent management of personal information. Of particular relevance to global companies are principles on the use and disclosure of personal information for direct marketing, and cross-border disclosure of personal information.

It is important to consider international regulations in those countries where an organization has operations.

Technology Role

The market for privacy management software products is still relatively small. The market for this software is expected to grow rapidly over the coming years. The current reform process for data protection has created a need for privacy managing technology.

Products from companies such as Compliance 360 automate the process of testing the risk for data breaches, which is required for the audits mandated by the Economic Stimulus Act of 2009. This act expanded the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requirements through its Health Information Technology for Economic and Clinical Health (HITECH) provisions.

These provisions include increased requirements for patient confidentiality and new levels of enforcement and penalties. In the absence of suitable software products, organizations must carry out the required internal audits and other processes manually, which is time consuming and subject to errors.

Enterprise content management (ECM), business process management (BPM) and business intelligence (BI) technology have important role in privacy compliance because content, processes, and reporting are critical aspects of managing sensitive information.

As generic platforms, they can be customized, which has both advantages and disadvantages. They have a broad reach throughout the enterprise, and can be used for many applications beyond privacy compliance. However, they are generally higher priced and require development to allow them to perform that function.

Privacy in the Cloud

Cloud applications and data storage have raised concerns about security in general, and personally identifiable information (PII) in particular. Although many customers of cloud services have concluded that cloud security is as good or better than the security they provide in-house, the idea that personally identifiable information could be "out there" is unsettling.

PerspecSys offers a solution for handling sensitive data used in cloud-based applications that allows storage in the cloud while filtering out personal information and replacing it with an indecipherable token or encrypted value.

The sensitive data is replaced by a token or encrypted value that takes its place in the cloud-based application. The "real" data is retrieved from local storage when the token or encrypted value is retrieved from the cloud. Thus, even though the application is in the cloud, the sensitive information is neither stored in the cloud nor viewable there. It physically resides behind the firewall and can only be seen from there.

This feature is especially useful in an international context where data residency and sovereignty requirements often specify that data needs to stay within a specific geographic area.

Challenges for Small Organizations

Small to medium-sized organizations generally do not have a dedicated compliance or privacy officer, and may be at a loss as to where to start.

Information Shield provides a set of best practices including a policy library with prewritten policies, detailed information on U.S. and international privacy laws, checklists and templates, as well as a discussion of the Organization for Economic Co-operation and Development (OECD) Fair Information Principles. Those resources are aimed at companies that may not have privacy policies in place but need to do so to provide services to larger healthcare or financial services organizations.

Among the resources is a list of core privacy principles based on OECD principles. Each principle has a question, brief discussion and suggested policy. For example, the purpose specification principle states, "The purposes for which personal information is collected should be specified no later than the time of data collection, and the subsequent use should be limited to fulfilling those purposes or such others that are specified to the individuals at the time of the change of purpose." The discussion includes comments on international laws and a citation of several related rulings.

Plans for Future

Business users and consumers alike have become accustomed to the efficiency and speed of digital data. However, more strict regulations are inevitable. Organizations should become more aware of having to prevent privacy breaches, and to make sure they have the systems in place to do this. Companies should also be concerned about reputation damage, which can severely affect business. Along with reliable technology, the best way forward is to follow best practices with respect to data privacy. Technology is essential, but it also has to be supported by people and processes.

Thursday, October 31, 2013

Information Governance With SharePoint

The goals of any enterprise content management (ECM) system are to connect an organization's knowledge workers, streamline its business processes, and manage and store its information.

Microsoft SharePoint has become the leading content management system in today's competitive business landscape as organizations look to foster information transparency and collaboration by providing efficient capture, storage, preservation, management, and delivery of content to end users.

A recent study by the Association for Information and Image Management (AIIM) found that 53% of organizations currently utilize SharePoint for ECM. SharePoint's growth can be attributed to its ease of use, incorporation of social collaboration features, as well as its distributed management approach, allowing for self-service. With the growing trends of social collaboration and enhancements found in the latest release of SharePoint 2013, Microsoft continues to facilitate collaboration among knowledge workers.

As SharePoint continues to evolve, it is essential to have a solution in place that would achieve the vision of efficiency and collaboration without compromising on security and compliance. The growing usage of SharePoint for ECM is not without risk. AIIM also estimated that 60% of organizations utilizing SharePoint for ECM have yet to incorporate it into their existing governance and compliance strategies. It is imperative that organizations establish effective information governance strategies to support secure collaboration.

There are two new nice features in SharePoint 2013 version that would help you with compliance issues. E-discovery center is a SharePoint site that allows to get more control of your data. It allows to identify, hold, search, and export documents needed for e-discovery. "In Place Hold" feature allows to preserve documents and put hold on them while users continue working on them. These features are available for both on-premises and in-cloud solutions.

2013 SharePoint has been integrated with Yammer which provides many social features. This presents new challenge with compliance. Yammer is planning to integrate more security in future releases. But for now, organizations need to create policies and procedures for these social features. Roles like "Community Manager", "Yambassadors", "Group Administrators" might be introduced.

There are 3rd party tools that could be used with SharePoint for compliance and information governance. They are: Metalogix and AvePoint for Governance and Compliance, CipherPoint and Stealth Software for Encryption and Security; ViewDo Labs and Good Data for Yammer analytics and compliance.

In order to most effectively utilize SharePoint for content management, there are several best practices that must be incorporated into information governance strategies as part of an effective risk management lifecycle. The goal of any comprehensive governance strategy is to mitigate risk, whether this entails downtime, compliance violation or data loss. In order to do so, an effective governance plan must be established that includes the following components:

Develop a plan. When developing your plan, it is necessary for organizations to understand the types of content SharePoint contains before establishing governance procedures. It is important to involve the appropriate business owners and gather any regulatory requirements. These requirements will help to drive information governance policies for content security, information architecture and lifecycle management.

When determining the best approach to implement and enforce content management and compliance initiatives, chief privacy officers, chief information security officers, compliance managers, records managers, SharePoint administrators, and company executives will all have to work together to establish the most appropriate processes for their organization as well as an action plan for how to execute these processes. During the planning phase, your organization should perform an assessment, set your organization's goals, and establish appropriate compliance and governance requirements based on the results of the assessment to meet the business objectives.

Implement your governance architecture. Once your organization has developed a good understanding of the various content that will be managed through SharePoint, it is time to implement the governance architecture. In this phase, it is important to plan for technical enforcement, monitoring and training for employees that address areas of risk or noncompliance. It is important to note that while SharePoint is known for its content management functionality, there are specific challenges that come with utilizing the platform as a content management system for which your governance architecture must account: content growth and security management.

In order to implement effective content management, organizations should address and plan to manage growth of sites, files, storage, and the overall volume of content. Organizations without a governance strategy often struggle with proliferation of content with no solutions to manage or dispose of it. This is a huge problem with file servers. Over time, file servers grow to the point where they become a bit like the file cabinet collecting dust in the corner of your office. It is easy to add in a new file, but you will not find it later when you need it. The challenge comes from the planning on how to organize and dispose of out-of-date content.

SharePoint offers the technology to address these challenges, but only if it is enabled as part of your governance plan. Information management policies can be used to automatically delete documents, or you may be using third-party solutions to archive documents, libraries and sites. By default in SharePoint 2013, Shredded Storage is enabled to reduce the overall storage of organizations that are utilizing versioning. Remote BLOB Storage (RBS) can also be enabled in SharePoint or through third-party tools to reduce SharePoint's storage burden on SQL Server.

Tagging and classification plays a key role in information governance. Proper classification can improve content findability. Organizations can utilize SharePoint's extensive document management and classification features, including Content Types and Managed Metadata to tag and classify content. Third-party tools that extend SharePoint's native capabilities can also filter for specified content when applying management policies for storage, deletion, archiving, or preservation. Ultimately, however, the people in your organization will play the biggest role here. As such, your plan should identify who the key data owners are and the areas for which they are responsible. This role is often filled by a "site librarian" or those responsible for risk management in the enterprise.

In order to minimize risk to the organization, it is imperative to ensure information is accessible to the people that should have it, and protected from the people that should not have access. SharePoint has very flexible system of permissions that can accommodate this issue.

Ongoing assessments. In order to ensure that established governance procedures continue to meet your business requirements ongoing assessment is required. Conduct ongoing testing of business solutions, monitoring of system response times, service availability and user activity, as well as assessments to ensure that you have complied with your guidelines and requirements for properly managing the content. The content is essentially your intellectual property, the lifeblood that sustains your organization.

React and revise as necessary. In order to continue to mitigate risk, respond to evolving requirements, and harden security and access controls, we must take information gathered in your ongoing assessments and use that to make more intelligent management decisions. Continue to assess and react and revise as necessary. With each change, continue to validate that your system meets necessary requirements.

The risk has never been higher, especially as more data is created along an growing regulatory compliance mandates requiring organizations to ensure that its content is properly managed.

If you develop a plan, implement a governance architecture that supports that plan, assess the architecture on an ongoing basis, and react and revise as necessary, your organization will have the support and agility necessary to truly use all of the content it possesses to improve business processes, innovation, and competitiveness while lowering total costs.

Wednesday, July 31, 2013

ISO 9001 and Documentation

ISO 9001 compliance becomes increasingly important in regulated industries. How does it affect documentation? Here is how...

What is Document Control?

Document control means that the right persons have the current version of the documents they need, while unauthorized persons are prevented from use.

We all handle many documents every day. These documents include forms that we fill out, instructions that we follow, invoices that we enter into the computer system, holiday schedules that we check for the next day off, rate sheets that we use to bill our customers, and many more.

An error on any of these documents could lead to problems. Using an outdated version could lead to problems. Not knowing if we have the latest version or not could lead to problems. Just imagine us setting up a production line to outdated specifications or making strategic decisions based on a wrong financial statement.

ISO 9001 gives us tools (also referred to as "requirements") that show us how to control our documents.

ISO 9001 Documents

There are no "ISO 9001 documents" that need to be controlled, and "non ISO 9001 documents" that don't need control. The ISO 9001 system affects an entire company, and all business-related documents must be controlled. Only documents that don't have an impact on products, services or company don't need to be controlled - all others need control. This means, basically, that any business-related document must be controlled.

However, how much control you apply really depends on the document.

The extent of your approval record, for example, may vary with the importance of the document (remember, documents are approved before they are published for use).

The Quality Policy, an important corporate policy document, shows the signatures of all executives.

Work instructions often just show a note in the footer indicating approval by the department manager.

Some documents don't even need any approval record: if the person who prepared a document is also responsible for its content (e.g., the Quality Manager prepares instructions for his auditors), a separate approval is superfluous.

On the other hand, identifying a document with a revision date, source and title is basic. It really should be done as a good habit for any document we create.

Please note that documents could be in any format: hard copy or electronic. This means that, for example, the pages on the corporate internet need to be controlled.

Responsibility for Document Control

Document control is the responsibility of all employees. It is important that all employees understand the purpose of document control and how to control documents in accordance with ISO 9001.

Please be aware that if you copy a document or print one out from the Intranet and then distribute it, you are responsible for controlling its distribution! The original author will not know that you distributed copies of this documents, so the original author can't control your distribution.

Dating Documents

ISO 9001 requires to show on every document when it was created or last updated. Many of us may have thought to use our word processor's automatic date function for this, but... should we use the automatic date field on documents?

Generally not. If you enter the automatic date field into a document, the field will automatically be updated to always show the current date, no matter when you actually created or updated the document.

Example: For example, if you use the automatic date field in a fax and you save the fax on your computer for future reference, you won't be able to tell when you wrote the fax: when you open the fax on your computer, it will always show today's date.

The automatic date field is not suitable for document control. Therefore, as a general rule, don't use the automatic date field to identify revision status.

ISO 9001 Documentation

ISO 9001 documentation includes:
  • the Quality Procedures Manual, which also includes corporate policies and procedures affecting the entire company;
  • work instructions, which explain in detail how to perform a work process;
  • records, which serve as evidence of how you meet ISO 9001 requirements.
Policies and Procedures

Our ISO 9001 Quality Manual includes the corporate Quality Policy and all required ISO 9001 Procedures. While most procedures affect only managers, every employee must be familiar with the Quality Policy and with the Document Control procedures. The Quality Policy contains the corporate strategy related to quality and customer satisfaction; all other ISO 9001 documents must follow this policy. The Document Control procedures shows how to issue documents, as well as how to use and control documents.

Continuous Improvement

Implementing ISO 9001 is not a one-time benefit to a company. While you are utilizing the quality manual, quality procedures and work instructions in daily business activities, you are not only benefiting from better quality and increased efficiency but you are also continually improving. In fact, the ISO 9001 requirements are designed to make you continually improve. This is a very important aspect because companies that don't continue to improve are soon overtaken by the competition.

Thursday, January 31, 2013

Information - Governance, Risk and Compliance – GRC - Part 3

In part 1 and 2 of my post about governance, risk, and compliance, I have described why information governance is important, where to begin with the information governance, and I started to describe what needs to be considered in information governance polices. In this my post I will describe information governance policies as they relate to crisis management and e-discovery, and list general information governance control points.

Information Governance for Crisis Management

Crisis management is set of procedures for unplanned situation that would prevent you from doing critical functions on your job.

Such situations can be:
  • Availability – illness, weather, turnover, fire, flood, severe weather, facility issues
  • Technology – phone cut-off, system outage, applications is down, network problems
  • Volume/Capacity – huge number of calls (in the example of call center)
  • Special situations – pandemic, loss of facility, tornado, etc.
An approaching storm or disaster does not provide much leeway to assess your disaster recovery preparations.

For example, if your CMS is down, what happens to those departments who need to use critical documents?

Solutions:

What you need to do is to develop a plan for each crisis situation. It should be designed to implement disaster recovery. Planning is very important.

Prioritize requirements – short, medium, long-term. Assess business needs. For example, how do you want to handle spike of calls (if you are in the call center)? Short term plan could be such as – re-route calls for live answer where there are people. Medium to long term could be such as plan for alternative site, work from home.

Make your plan flexible. Have incident coordinator. Create communication plan which should include who is responsible for coordinating the recovery process. Create crisis team which could include IT, QA, management, business partners. Outline responsibilities and procedure in the document.

Test this procedure at least once a year. Do post-analysis – timing, access gaps, communications of results, recommend changes and training plan for next testing, maybe next quarter, not next year. Evaluate your systems when you have no crisis.

Other points:
  • Address disaster recovery in addressing planned and unplanned downtime.
  • Virtualize your data center.
  • Ensure swift restoration of content items following corruption or accidental deletion.
  • Maintain all metadata during and after recovery events.
  • Ensure seamless transition to a warm stand-by system should the main system fail.
  • Plan what to do if outage happens.
  • Maximize platform up-time and swift restoration of platform following a disaster event.
  • Users need to feel confident that the system will protect content and will be available regardless of any disaster, otherwise user adoption will fail – users will go back to their old habits essentially halting KM effort in its tracks.
Information Governance for E-Discovery

E-Discovery preparedness makes it imperative for organizations to develop an enterprise wide strategy to manage the volume of electronic information. The discovery process affects many individuals in an organization, not just lawyers and others involved in discovery, but also IT professionals and records managers, who have to be prepared to produce electronic content for discovery and litigation.

You need to have an ability to respond to legal request, to solve litigation issue, mitigate the risk of sanctions, reduce impact and cost associated with future litigation.

For legal counsel, it means having a review process to determine what discovered content is relevant to the case. For an IT person, it means restoring backup tapes to show evidence on file shares, content management systems, e-mail systems, or other applications. But for records managers, this work will have begun long before any lawsuit with managing records for retention, placing legal holds, and finalizing disposition.

E-discovery could be costly because it requires organizations to retrieve content from servers, archives, backup tapes, and other media.

In some cases, an organization is unable to execute a discovery order because it is unable to locate all content in a timely manner, or it is unable to place holds on all content and some of it is deleted during the lawsuit. The inability to do this correctly also has a cost, and it can be considerable.

To address these costs, many organizations are looking at e-discovery solutions that will enable them to review the found content and take it through litigation.

But organizations can also lower costs for archiving and restoring, legal review, and sanctions by simply cutting down how much content it retains. Less stored content means less content on which to perform discovery.

Developing a strategy and a plan of action for handling e-discovery will help organizations mitigate their risk and save them a significant amount of money in the event of litigation. Organizations need to have a retention policy to determine which content can be destroyed and at what time and which content should be kept and for how long. The key is to have a retention program that is flexible enough to keep content for the right retention period.

By categorizing content, creating a catalog of the content, creating a retention plan, implementing a hold methodology, and having disposition procedures, an organization will benefit in many ways.

Solutions: Integrate e-discovery into information governance practice. Include key capabilities:
  • understand and secure – identify and categorize docs; docs are distributed globally; find and correctly identify them
  • automate and enforce - extend policies to docs within unmanaged repositories such as file shares, SharePoint, etc. Automate processes in a transparent manner to manage and control docs. Retention and disposition policies that can be enforced within ECM.
  • protect and control – regulate how docs accessed and used; security controls over docs; control who can access protected docs
  • discover and produce – ability to produce relevant docs upon demand is a mandatory requirement.
Develop retention programs. Create committees within your organizations and bring their expertise together with legal counsel and IT to prepare for e-discovery and litigation.

General Governance Controls
  • Understand your data topology – holistically across the enterprise: how much, where, who owns it, and what value does it provide.
  • Employ real-time indexing of content – to keep track of its changes.
  • Store the intelligence about your content (metadata).
  • Create an information intelligence service center and include data analysis, governance analysis.
  • Employ change management to stay current of new forms of content and new business requirements.
  • Become proactive in deploying policies for securing data, storing data, sharing data and enforcing compliance.
  • Remove obsolete or unnecessary content.
  • Define content life cycle and retention policies.
  • Tier your access to enable relevant data to be closer to users and devices that are local.
  • Educate the organization on the value of good governance; it is less about control and more about raising the intelligence and health of information.
  • Categorize your information and determine its value and rank.
  • Use content approval function in your CMS.
  • As deployments grow, organizations must also find ways to efficiently store records in compliance with retention of records management policies.
  • Create retention schedule, content controls, consistent disposition of content in accordance with records management policies for content preservation, remediation, retention.
  • Keep track of what info is created, stored, and accessed.
  • Use auto-classification and semantic tools within the search engines.
  • Move relevant documents from desktops and shared drives to your central docs repository.
  • Create efficient document versioning and check-in/check-out management for information consistency.
  • Create robust administration of users to ensure that each as access rights for only documents that they are authorized to have access to.

Tuesday, January 29, 2013

Information - Governance, Risk and Compliance – GRC - Part 2

In my last post about governance, risk, and compliance, I have described why information governance is important and where to begin with the information governance. Today, I will describe what needs to be considered in information governance polices and will give some recommendations.

What needs to be considered in information governance polices?

Government mandates - If you are in a regulated industry, you need to consider first and foremost government mandates such as GMP/GxP, ISO 9001. You need to make sure that your documents management and IT are compliant with these requirements.

Proliferation of content - there has been explosive growth in the creation and collection of content by organization and individuals. Content is stored in CMS, data warehouses, physical warehouses, desktop computers, file shares, back-up archives, mobile devices, cloud services, employees personal computers and other devices such as tablets, smart phones, etc. To complicate matters this information is also geographically disbursed.

In SharePoint, for example, you get a small department that has a site, other departments take notice and start their own sites. Suddenly you have small SharePoint instances pervading everywhere. What organization should do instead is take those separate silos of SharePoint and combine them into one centrally managed environment. It is the matter of having a plan in place first, then applying the technology to achieve those business goals.

Information governance policies should cover desktops and shared drives, CMSs, databases and data warehouses, email systems, cloud based apps, social media platforms, physical warehouses. Content may be stored with the 3rd party, this needs to be considered.

Employees send email with documents attachments. This email and attachments have significant value to the business whether they contain contract terms, meeting notes or even employees opinions on a given topic. Email requires governance and so it needs to be included in your information governance policies.

Big data – are you prepared? What measures your IT has taken to help with this issue?

Cloud computing – If you use cloud computing, you need to create governance policy for it.

Mobile Devices - Employees use mobile devices to do their job. Many companies don’t have policies that cover things like tablets and handhelds. They are starting to, but it is just a beginning. You need to create polices for mobile devices and a mechanism to enforce those policies. And in the regulated environment, you would need to prove that you are enforcing those policies.

Social media - effectively leveraging social media while protecting the organization from non-compliance.

Create comprehensive social media governance plan. It should include compliance, supervision to interactive social content; perform conceptual search and policy-based monitoring of all info, inside and outside the firewall; establish social media usage policies and procedures and then train staff on them; preserve and collect relevant social media content for compliance and litigation purposes.

Consider all content and access methods involved as users connect via smartphones and tablets.

Employ solutions that capture additional approval on a site-by-site basis to verify assent for capturing and monitoring.

Wherever possible create separate business identities for social media to minimize capture of personal or private information.

Govern employees interactions. Most regulated organizations are taking a measured approach to social media, starting with small number of employees and approved social media sites.

Monitor and capture inside-based interactions within a corporate networks. Moderate inside-based interactions. Be mindful of legal and regulatory guidelines.

BYOD phenomena – “bring your own device”. People bring their iPads, iPhones, etc. to conferences, work, taking notes, making presentations, responding to email, updating pipeline, etc. All this content belongs to the organization but the device is not. What happens when this employee leaves the company? Or that employee loses the tablet? What happens to information?

I read about the case where a doctor had all his patients’ medical records unencrypted on his laptop. The laptop was stolen.

It could also be that there are multiple versions of documents floating around, gets passed from one person to another person, may be tweaked a little along the way. And they each are legally discoverable.

Be sure that the official version of the document is stored in your CMS and managed by your governance program.

It is imperative to have a policy to protect this information and to enforce that policy across all those devices.

Security – sensitive information must be protected – encrypted. LinkedIn got hacked and all passwords got stolen. What are you going to do that this does not happen to your organization?

Intellectual property - What about a pharmaceutical company developing a new drug, not yet under patent protection, and an employee takes that information to a competitor?

Of special importance is information related to future revenue. For example, a pharmaceutical company should place a high priority on protecting information related to future products which are not covered by patents.

It is vital for companies to have a system in place to protect sensitive content such as for example product roadmaps, manufacturing plans, vendor supply lists, marketing and promotional strategies.

In my next post, I will describe information governance for crisis management and e-discovery.

Sunday, January 27, 2013

Information - Governance, Risk and Compliance – GRC - Part 1

Governance is about securing the information and also about using information for greater value. People don’t talk much about value of information but information is strategic asset of a company.

What makes a company great among other things is the ability to take information and use it as an asset. Information is what drives an organization, whether it is through development of new drugs, new products, looking into new geographic regions to expand to, etc.

Governance is like an insurance policy that you feel like you are paying for nothing, until you need it. You don’t know when and if an “accident” will happen and you don’t know how big it will be, but when it does happen, you are very happy that you have that insurance policy. Until then you resent having to pay for it. Governance which is controls is your insurance policy.

KM can be costly in terms of fines, brand reputation, legal fees. In case of a legal discovery, the lack of documents means a disaster. Absence of document control in place will result in violating regulatory compliance.

To an increasing extent, organizations are focusing on risk management as a central issue in GRC equation. Enterprise Risk Management (ERM) is now a bigger driver for GRC than Sarbanes-Oxley or other compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance.

Governance and compliance are essential business functions. Risks need to be understood and managed. Risk management does not mean that every risk can be anticipated but it can plan for the risk and have alternatives ready.

Information governance – effective content controls, allowing all info to be securely and properly shared across departments, geographic locations, and systems.

Organizations need a closed loop environment for assessing business risks, documenting compliance and automating control monitors to sift through their business systems.

For example, SharePoint is widely adopted system for knowledge management. According to a recent AIIM report, more than 60% of organizations have yet to bring their SharePoint deployment into existing compliance, retention, and long-term archive policies.

To prevent potential exposure of sensitive or classified information, it is imperative for organizations to bring their SharePoint in line with existing compliance policies.

Benefits of information governance: helps management to enforce focus on business mission, employees have information that is accurate, current and is in suitable format for their use; employees are more efficient and productive; removing duplicate and unnecessary content reduces the time needed to find information, derive higher profits; operational cost is lowered; retention management optimizes cost-effectiveness of storage platforms; legal fees are reduced in case of litigation.

Where to begin?

To start information governance initiative, create steering committee – CIO, legal officer, compliance officer, other main stakeholders.

Outline the scope, timeline, and budget.

It should be rolled out from the top. This way everybody will be on the same page.

Have a strategy. Strategy should drive what is measured and monitored for compliance and performance.

Information governance strategy must account for the value of information and how it is classified and accessed.

Information governance policies should support all of the organization’s governance controls – retention, disposition, legal hold, data privacy and security.

Policies need to be scalable, enforceable, and measurable. It is better not to have a policy than to have a policy which can’t be enforced.

Policies should change depending on new business requirements, regulatory demands, rising costs, litigation. Companies must have a process to update, validate, deploy, and enforce these policies. They should be deployed without negatively impacting users and operations.

Rank the value of information depending on its type and where it is coming from. For example, information created by VP of sales should be ranked higher that information created by a marketing intern.

More about governance in the next post.

Wednesday, February 15, 2012

Change Control in the Regulated Industries

In my last post, I described change control process in general and I mentioned that in the regulated industries, manufactures are required to use a change control procedures I am going to describe this change control procedure in this post.

A change control procedure is usually one of standard operating procedures (SOP's). It usually includes a change control form. Some companies also use change request forms for suggested changes. This procedure usually includes the following components:

Identification

The identification of the changed device, assembly, component, labeling, packaging, software, process, procedure, manufacturing material, and any other related item or document. The change control form has blank spaces for recording this data.

Effective Date

The effective date of the change which is usually a completion date, or an action to be performed when a specific event occurs, such as "implement the change when the new part is installed, validated, and operational." The blank on the change control form for recording the effective date should not be left empty.

Responsibility

The change procedure should state which department or designee is responsible for each function to be performed.

Revision Number

The change procedure should describe the way the revision level is to be incremented. It is common practice to use sequential numbers for revisions.

Communication

The change procedure should describe the communication of changes to all affected parties such as production, purchasing, contractors, suppliers, etc. As appropriate, the document might include activities that apply to internal operations. Examples are employee training, rework, or disposition of in-process assemblies, use of revised drawings and/or procedures, and disposition of old documents.

Updating Documentation

The change procedure should cover updating of primary and secondary documentation such as instruction manuals. Usually there are no problems with updating or revising primary documentation -- in fact, that is a major reason the given change order is being processed. In contrast, it is rather easy to forget that related secondary documents such as component drawings, instruction manuals or packaging require revision if affected by a given change. The use of a good change control form can alleviate this problem.

Documentation Distribution

Revised documentation should be distributed to persons responsible for the operations affected by the change and old documents removed and filed or discarded, as appropriate. After updated documents have been approved, these documents have to be made available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents have to be promptly removed from all points of use or otherwise prevented from unintended use.

Remedial Actions

Certain changes may require remedial action. Changes of this nature should be addressed in the change control procedure.

Regulatory Submissions

There may be changes may that require a regulatory submission. The change control procedure should specify if regulatory submissions should be considered when making a change.

Business Factors

The change procedure should also cover other factors such as financial impact, modification of sales literature, update of products in commercial distribution, etc.

Quality Assurance Review

The change procedure should cover if the quality assurance review is required for the change.

This change control procedure is also used for document control.

Changes to documents have to be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval of these documents unless there is a specific designation that states otherwise. These approved changes have to be communicated to the appropriate personnel in a timely manner. A company has to maintain records of changes to documents.

Change control for documents should include:
  • identification of the affected documents;
  • a description of the change;
  • revision number
  • the signature of the approving individual(s);
  • the approval date;
  • the date when the change becomes effective.
In a case of the regulatory agencies inspection, the change control procedure is usually audited.

Tuesday, February 14, 2012

Change Control

Change control within quality management systems (QMS) and information technology (IT) systems is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without analysis, introducing faults into the system or undoing changes made by other users of software.

The goals of a change control procedure include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing a change.

Change control is used in a wide variety of products and systems. For Information Technology (IT), it is a major aspect of the broader discipline of change management. Typical examples from the computer and network environments are patches to software products, installation of new operating systems, upgrades to network routing tables, or changes to the electrical power systems supporting such infrastructure.

Change control process can be described as the sequence of of six steps: record/classify, assess, plan, build/test, implement, close/gain acceptance.

Record/classify

A user initiates a change by making a formal request for something to be changed. The change control team then records and categorizes that request. This categorization would include estimates of importance, impact, and complexity.

Assess

Change control team makes an assessment typically by answering a set of questions concerning risk, both to the business and to the process, and follow this by making a judgment on who should carry out the change. If the change requires more than one type of assessment, the head of the change control team will consolidate them. Everyone with a stake in the change then meet to determine whether there is a business or technical justification for the change. The change is then sent to the delivery team for planning.

Plan

Management will assign the change to a specific delivery team, usually one with the specific role of carrying out this particular type of change. The team's first job is to plan the change in detail as well as construct a regression plan in case the change needs to be backed out.

Build/test

If all stakeholders agree with the plan, the delivery team will build the solution, which will then be tested. They will then seek approval and request a time and date to carry out the implementation phase.

Implement

All stakeholders must agree to a time, date and cost of the implementation of the change. Following the implementation, it is usual to carry out a post-implementation review which would take place at another stakeholders meeting.

Close/gain acceptance

When the user agrees that the change was implemented correctly, the change can be closed.

Change Control in a Regulatory Environment

In a Good Manufacturing Practice (GMP) or ISO 9001 regulated environment, change control activities and procedures apply to software, labeling and packaging, device manufacturing processes, production equipment, manufacturing materials, and all associated documentation such as quality system procedures, standard operating procedures, quality acceptance procedures, data forms, and product-specific documentation. Change control is also applied to any production aids such as photographs and models or samples of assemblies and finished devices.

Any regulated industry has a compilation of documents containing the procedures and specifications for a finished product. It includes specifications and all other documentation required to procure components and produce, label, test, package, install, and service a finished product. Manufacturers are to prepare, control changes to, and maintain these documents using change control procedure which is in fact the document control procedure.

In my next post, I will describe the change control procedure as it applies to documentation in a regulated industry.

Monday, January 9, 2012

Consequences of GxP/GMP for Information Technology

In my last post, I described the GMP requirements for document control. In this post, I am going to describe the GMP requirements for information technology used in a GMP company.

For a drug to be produced in a GxP compliant manner, some specific information technology practices must be followed. Computer systems involved in the development, manufacture, and sale of regulated product must meet certain requirements such as:
  • secure logging: each system activity must be registered, in particular what users of the system do, that relate to research, development and manufacturing. The logged information has to be secured appropriately so that it cannot be changed once logged, not even by an administrative user of the system;
  • auditing: an IT system must be able to provide conclusive evidence in litigation cases, to reconstruct the decisions and potential mistakes that were made in developing or manufacturing a medical device, drug or other regulated product;
  • keeping archives: relevant audit information must be kept for a set period. In certain countries, archives must be kept for several decades. Archived information is still subject to the same requirements, but its only purpose is to provided trusted evidence in litigation cases;
  • accountability: Every piece of audited information must have a known author who has signed into the system using an electronic signature. No actions are performed by anonymous individuals;
  • non-repudiation: audit information must be logged in a way that no user could say that the information is invalid, e.g. saying that someone could have tampered with the information. One way of assuring this is the use of digital signatures.
GMP guidelines require that software programs must be validated by adequate and documented testing. Validation is defined as the documented act of demonstrating that a procedure, process, and activity will consistently lead to the expected results. The software validation guideline states: “The software development process should be sufficiently well planned, controlled, and documented to detect and correct unexpected results from software changes."

To validate software, it must be:
  • structured, documented, and evaluated as it is developed;
  • checked to make sure that it meets specifications;
  • adequately tested with the assigned hardware systems;
  • operated under varied conditions by the intended operators or persons of like training to assure that it will perform consistently and correctly.
It is important to notice these requirements since a document management system is required to control documents, so this document management system must meet these requirements for information technology.

Friday, January 6, 2012

GxP/GMP and Document Control

In the regulated environment, the document control is the cornerstone of the quality system. It is so important that if an external audit identifies deficiencies in the document control system, the entire organization can be shut down.

In my last post, I talked about the connection between ISO 9001 and document control. ISO 9001 is one example of the regulated environment. It is usually used in engineering types of companies. In food, drugs, medical devices, and cosmetics industries, GxP/GMP regulations are used. Today, I am going to talk about the connection between GxP/GMP and document control.

GxP is a general term for Good Practice quality guidelines and regulations. The titles of these good practice guidelines usually begin with "Good" and end in "Practice", with the specific practice descriptor in between. GxP represents the abbreviations of these titles, where x (a common symbol for a variable) represents the specific descriptor.

For example: Good Clinical Practice (GCP), Good Laboratory Practice (GLP), Good Manufacturing Practice (GMP), Good Safety Practice (GSP), and many others.

A "c" or "C" is sometimes added to the front of the acronym. The preceding "c" stands for "current." For example, cGMP is an acronym for "current Good Manufacturing Practice." The term GxP is only used in a casual manner, to refer in a general way to a collection of quality guidelines.

The purpose of the GxP quality guidelines is to ensure that a product is safe and meets its intended use. GxP guides quality manufacture in regulated industries such as food, drugs, medical devices, and cosmetics.

The most central aspects of GxP are traceability - the ability to reconstruct the development history of a drug or medical device and accountability - the ability to resolve who has contributed what to the development and when.

GMP is the most well known example of a GxP.

Good Manufacturing Practice (GMP) are practices and the systems required to be adapted in pharmaceutical and medical devices companies. GMP is the guidance that outlines the aspects of production and testing that can impact the quality of a product.

Many countries have legislated that pharmaceutical and medical device companies must follow GMP procedures, and have created their own GMP guidelines that correspond with their legislation. Basic concepts of all of these guidelines remain more or less similar to the ultimate goals of safeguarding the health of the patient as well as producing good quality medicine, medical devices, or active pharmaceutical products.

In the U.S. a drug may be deemed adulterated if it passes all of the specifications tests but is found to be manufactured in a condition which violates current good manufacturing guidelines. Therefore, complying with GMP is a mandatory aspect in pharmaceutical and medical devices manufacturing.

Documentation is a critical tool for ensuring GxP/GMP compliance.

This is what GMP states about document control:

Each manufacturer shall establish and maintain procedures to control all documents that are required. The procedures shall provide for the following:

1. Document approval and distribution. Each manufacturer shall designate an individual(s) to review for adequacy and approve prior to issuance all documents. The approval, including the date and signature of the individual(s) approving the document, shall be documented. Documents shall be available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents shall be promptly removed from all points of use or otherwise prevented from unintended use.

2. Document changes. Changes to documents shall be reviewed and approved by an individual(s) in the same function or organization that performed the review and approval of original documents, unless specifically designated otherwise. Approved changes shall be communicated to the appropriate personnel in a timely manner. Each manufacturer shall maintain records of changes to documents. Change records shall include a description of the change, identification of the affected documents, the signature of the approving individual(s), the approval date, and when the change becomes effective.

These requirements are consistent with document control requirements stated in ISO 9001 which I described in my previous post.

The role of QA, in regards to the document system, is one of management and overview. QA ensures that all documents are maintained in a controlled fashion and that all procedures are being used within a company are approved by the appropriate subject matter experts, are consistent with other documents, and are the most current version. One way that QA ensures this is by being the last signature on all approved documents. All documents; current, obsolete, superseded, as well as all the history on the creation and revision of the document are kept in Quality Assurance.

These are the steps of the document control procedure:

Creation

Any knowledgeable employee should be able to write or revise documents as needed.

Revising

When revising a document the redline changes along with detailed justification of the changes should be routed.

Routing

The document control function of QA is responsible for routing documents for review and approval. It is suggested that a pre-route be done to ensure that all affected parties are in agreement with the document before it is submitted to QA. There should be a documented process detailing how documents are submitted for review and approval.

A controlled form listing all the changes made to the document, justification for the changes, and a list of personnel who need to review the document needs to be routed along with the document. At a minimum the author’s manager, all affected department heads, and QA need to review the document. Other Subject Matter Experts can be included.

Approval

Once all affected parties have agreed to the changes, document control will prepare the document for approval. All changes will be incorporated into the document. For new documents the version # will be 00. For each revision of a document the version number will increase (01, 02, 03, etc). A master document will be routed for approval signatures.

Typically the approval signatures are the Author, the Department Head, and QA. QA must be the last signature on all documents. Usually the approval signatures only appear on the first page of the document. Once the master document has been signed, and effective date is stamped onto each page of the document. The effective date must be far enough in advance to allow for the document to be trained on before it becomes effective (typically this is 5 days).

Distributing

On the effective day copies of the signed master document are routed to the affected departments. The departments will remove the old version and replace it the new version (for revised documents). If the document is new, there will be no replacement document to remove.

The old versions must be returned to document control. On a periodic basis document control personnel should audit the binders to determine if they contain the correct versions. Each document binder should contain a table of contents and only those documents that the department is responsible for. A full set of all approved documents should be in the QA department as well as in a central company location.

Archiving

Old revisions of documents will be stamped as superseded. No document revisions will be discarded or altered. A file will be maintained within QA that contains all the superseded documents and the signature approvals of personnel who agreed to the revisions.

Obsolete

If a document will no longer be used by any department in the company it can become obsolete. The document must be stamped as Obsolete and all copies removed from all document binders. It is a good idea to place a notice in the document stating that the document has been Obsolete.

Good manufacturing practice (GMP) regulations require that all documentation be issued, managed and controlled using a document management system.

In my future posts, I will further describe GMP regulations pertaining to documentation and documentation management systems.