Showing posts with label Document Control. Show all posts
Showing posts with label Document Control. Show all posts

Saturday, March 28, 2020

Purpose of Document Control and its Role in Quality Assurance

GxP/GMP, GDocP, ISO 9000 and documentation

GxP stands for "Good Practice" which is quality guidelines and regulations. The "x" stands for the various fields, for example Good Documentation Practice or GDocP, Good Financial Practice or GFP and so on. There are many instances of these regulations. One instance of GxP is Good Manufacturing practice or GMP.

GMP describes required Quality Management System (QMS) for manufacturing, testing, and quality assurance in order to ensure that products are safe, pure, and effective. GMP has ultimate goal to enable companies to minimize or eliminate contamination and errors which protects consumers from purchasing a product which is not effective or even dangerous. GMP regulations are required to be used in regulated industries such as food and beverages, pharmaceutical, medical devices, and cosmetics.

GMP documentation requirements are aligned with Good Documentation Practice (GDocP). GDocP is the standard in the regulated industries by which documents are created and maintained. It is the systematic set of procedures of preparation, reviewing, approving, issuing, recording, storing, and archiving documents.

The ISO 9000 is a set of standards which deals with fundamentals of Quality Management System (QMS) that helps organizations to ensure that they meet customers’ needs within statutory and regulatory requirements related to a product or service. ISO 9001 deals with the requirements that organizations wishing to meet the standard must fulfil.

GxP/GMP, GDocP, ISO 9000 are about QMS where an organization needs to demonstrate its ability to consistently provide a product that meets customer and applicable statutory and regulatory requirements.

Documentation is the key to compliance with these regulations and ensures traceability of all development, manufacturing, and testing activities. Documentation provides the route for auditors to assess the overall quality of operations within a company and the final product. GMP, GDocP, and ISO 9000 are enforced by regulatory agencies. Auditors pay particular attention to documentation to make sure that it complies with these regulations.

Therefore, in order for an organization to meet these requirements, it must have documentation procedures in place. Documentation is a critical tool for ensuring this compliance.

Purpose of document control and its role in Quality Assurance (QA)

The primary purpose of document control is to ensure that only current documents and not documents that have been superseded are used to perform work and that obsolete versions are removed. Document control also ensures that current documents are approved by the competent and responsible for the specific job people and documents are distributed to the places where they are used.

Document control is an essential preventive measure ensuring that only approved, current documents are used throughout an organization. Inadvertent use of out-of-date documents or not approved documents can have significant negative consequences on quality, costs, customer satisfaction, and can even cause death.

The role of QA, in regards to the document control system is one of management and overview.

QA ensures that all documents are maintained in a controlled fashion and that all controlled documents are approved by the appropriate subject matter experts, are consistent with other documents, and are the most current version.

One way that QA ensures this is by being the last signature on all approved documents. All documents - current, obsolete, superseded, as well as all the history on the creation and revision of the document should be kept in Quality Assurance.

Wednesday, July 31, 2013

ISO 9001 and Documentation

ISO 9001 compliance becomes increasingly important in regulated industries. How does it affect documentation? Here is how...

What is Document Control?

Document control means that the right persons have the current version of the documents they need, while unauthorized persons are prevented from use.

We all handle many documents every day. These documents include forms that we fill out, instructions that we follow, invoices that we enter into the computer system, holiday schedules that we check for the next day off, rate sheets that we use to bill our customers, and many more.

An error on any of these documents could lead to problems. Using an outdated version could lead to problems. Not knowing if we have the latest version or not could lead to problems. Just imagine us setting up a production line to outdated specifications or making strategic decisions based on a wrong financial statement.

ISO 9001 gives us tools (also referred to as "requirements") that show us how to control our documents.

ISO 9001 Documents

There are no "ISO 9001 documents" that need to be controlled, and "non ISO 9001 documents" that don't need control. The ISO 9001 system affects an entire company, and all business-related documents must be controlled. Only documents that don't have an impact on products, services or company don't need to be controlled - all others need control. This means, basically, that any business-related document must be controlled.

However, how much control you apply really depends on the document.

The extent of your approval record, for example, may vary with the importance of the document (remember, documents are approved before they are published for use).

The Quality Policy, an important corporate policy document, shows the signatures of all executives.

Work instructions often just show a note in the footer indicating approval by the department manager.

Some documents don't even need any approval record: if the person who prepared a document is also responsible for its content (e.g., the Quality Manager prepares instructions for his auditors), a separate approval is superfluous.

On the other hand, identifying a document with a revision date, source and title is basic. It really should be done as a good habit for any document we create.

Please note that documents could be in any format: hard copy or electronic. This means that, for example, the pages on the corporate internet need to be controlled.

Responsibility for Document Control

Document control is the responsibility of all employees. It is important that all employees understand the purpose of document control and how to control documents in accordance with ISO 9001.

Please be aware that if you copy a document or print one out from the Intranet and then distribute it, you are responsible for controlling its distribution! The original author will not know that you distributed copies of this documents, so the original author can't control your distribution.

Dating Documents

ISO 9001 requires to show on every document when it was created or last updated. Many of us may have thought to use our word processor's automatic date function for this, but... should we use the automatic date field on documents?

Generally not. If you enter the automatic date field into a document, the field will automatically be updated to always show the current date, no matter when you actually created or updated the document.

Example: For example, if you use the automatic date field in a fax and you save the fax on your computer for future reference, you won't be able to tell when you wrote the fax: when you open the fax on your computer, it will always show today's date.

The automatic date field is not suitable for document control. Therefore, as a general rule, don't use the automatic date field to identify revision status.

ISO 9001 Documentation

ISO 9001 documentation includes:
  • the Quality Procedures Manual, which also includes corporate policies and procedures affecting the entire company;
  • work instructions, which explain in detail how to perform a work process;
  • records, which serve as evidence of how you meet ISO 9001 requirements.
Policies and Procedures

Our ISO 9001 Quality Manual includes the corporate Quality Policy and all required ISO 9001 Procedures. While most procedures affect only managers, every employee must be familiar with the Quality Policy and with the Document Control procedures. The Quality Policy contains the corporate strategy related to quality and customer satisfaction; all other ISO 9001 documents must follow this policy. The Document Control procedures shows how to issue documents, as well as how to use and control documents.

Continuous Improvement

Implementing ISO 9001 is not a one-time benefit to a company. While you are utilizing the quality manual, quality procedures and work instructions in daily business activities, you are not only benefiting from better quality and increased efficiency but you are also continually improving. In fact, the ISO 9001 requirements are designed to make you continually improve. This is a very important aspect because companies that don't continue to improve are soon overtaken by the competition.

Monday, June 18, 2012

Document Control Systems Reviews - Arena

There are few applications specifically designed for document control. Arena is one of them and it is the subject of my today's post.

Arena has the following modules:

  • item management;
  • Bill of Materials Management (BOM);
  • change management;
  • supplier collaboration;
  • compliance tracking;
  • project collaboration.

Item Management

Item management allows you to have part data, assemblies and documents including drawings and data sheets in one place. This is a centralized product record. You can give your team and designated suppliers controlled access to all the information they need to design and manufacture your product.

You can create a unique record for every part in your item master with customizable part numbering schemes and categories. Customizable categories can be used to determine the layout and sequence of fields in your part record.

You can see the entire revision history of an item in a single place to understand the decisions and changes that brought you to the current design. BOMControl Item Management allows you to toggle easily between the current working revision and any previous revision with one click.

Bill of Materials Management (BOM)

Your bill of materials (BOM) contains the parts and instructions that make your product. BOMControl keeps bill of material data centralized, controlled, and up-to-date.

You can quickly compare multiple BOMs to see what has changed, or what is different. You can optimize procurement and production with side-by-side bill of materials comparisons that reveal component needs across multiple product lines.

With BOM preview panels and where used panels accessible from each line in every BOM, you can move through your BOMs with ease. From top-level assembly to specific subassemblies and components, you can view specific item details, grab files and compliance information and review change order status at a glance—all without disrupting your flow.

You can specify acceptable part substitutions directly in the BOM. BOMControl allows you to designate alternate items and conditions where you might want to use them instead of the primary item designated in the BOM. You can provide alternatives for hard-to-source parts, or specify an earlier revision of an existing item as a substitute to utilize on-hand stock of a part that has been updated.

Change Management

There is a voting scheme that shows changes to one or many key stakeholders as you require their input. There is a notification system that reminds participants to vote when their input is needed. You can send virtual change packages to stakeholders and suppliers anywhere in the world, review and approve engineering change requests (ECR) and engineering change orders (ECO) from any location. With redlines and comment functionality, the BOMControl engineering change management process is controlled and transparent, so you can confidently include your supply chain in your innovation efforts.

You can capture deviations, and send them out for approval and release with a time-based user notification flag on products under deviation. BOMControl supports overlapping deviations and allows you to extend the expiration date or force expiration as needed.

You can document the decisions that led to each deviation, and the associated approval process for a complete product history. For more complete change request management, BOMControl offers detailed notification options.

Anyone with proper permissions can create a documented change request which can include files, supporting reasoning and discussion history and send it to the engineer that owns the product for more timely approvals. You can capture field failures and product feedback from operations, customer care and your supply chain to make better sourcing, purchasing and design decisions.

Incoming ideas are connected to their corresponding items so engineers know which changes affect the items they manage.

Capture the detailed cost, availability, compliance and market decisions that shape your design and manufacturing processes over time. Track approvals in threaded conversations, and control supplier participation in your process by hiding sensitive information in the discussion panel.

BOMControl engineering change management preserves not only the changes you've made, but also the full history of what influenced those decisions.

Supplier Collaboration

Everyone in your supply chain can see the same up-to-date information at all times. You can control what information you share by setting a level of access for each supplier—from read-only or component-level access, to full BOM access for trusted partners. You can even bring suppliers into your change process for more efficient feedback loops. You can protect sensitive information by designating any file as private.

Designated suppliers can view your bill of materials, compare redlines, enter quotes, upload files or even participate in your change process. Automatic notifications let partners know when their input is required, when new revisions are introduced or when a part is deviated.

BOMControl’s export functionality makes sending snapshots of your BOM and other key information an easy, repeatable process. Export in CSV, XLS or PDX format, and save your settings for consistency. You can specify a commonly used export format for key partners, and generate the BOM in the format they prefer.

Compliance Tracking

Meet regulatory requirements and manage compliance information for your products and processes with BOMControl. Track, manage and comply with medical, environmental, safety and process standards and regulations.

You can track product compliance for environmental requirements like the Restriction of Hazardous Substances directive (RoHS). BOMControl compliance tracking helps you ensure that dangerous components of electronic and electrical manufacturing are managed to acceptable levels.

BOMControl enables you to efficiently and accurately track standards and certificates of compliance including UL, CE, CCC, FCC, VCCI and others.

Dedicated BOM views and reporting capabilities for compliance enable consistent conformity assessments, while engineering change management capabilities ensure that compliance can be maintained throughout a product’s lifecycle.

BOMControl has native document control capabilities that enable companies to meet ISO 9001:2000 requirements. BOMs and individual files can be managed under revision control with appropriate approvals and notifications.

You can verify and document any internal testing and standards within BOMControl, complete with approvals and notifications.

Project Collaboration

During the new product introduction (NPI) process, detailed project metrics show you the entire project at a glance and allow you to focus on the issues that most need attention. You can check the dashboard to make sure things are on track, or click through for more in-depth analysis.

You can track thousands of detailed tasks, or just a few critical project activities, so you can advance your products from one development phase to the next, even if your product structure is highly dynamic.

You can easily analyze progress at any level of the product assembly, any step in the project, or across a portfolio of projects to enable fast recognition and reaction to problems, changes and critical points.

You can define project templates that represent your high-level business processes, with milestones and phases for various types of projects such as New Product Development/Introduction or RoHS Compliance.

You can automatically generate detailed plans that keep task lists current and enable consistency enterprise-wide.

You can view late, unassigned and behind tasks associated with a project or tracked item in a project and perform "on-the-fly" problem analysis by displaying the earliest deadlines for parent items and latest deadlines for their child items. You can quickly and easily identify and drill down into problems at the portfolio, project or tracked item level.

You can notify users including suppliers of late phases, milestones and new task assignments and automatically trigger alerts for key task deadlines during the new product introduction process.

Additional Features

Flexible, persistent search - Search for components and assemblies, change orders, requests, etc. using multiple criteria including categories, attribute values, etc., then save search criteria to run the same search any time.

Document search - Locate documents by performing attribute search or by searching associations including items, suppliers, requests and changes.

Browsing history - Return to a recently viewed item with one click.

Bookmarks - Access any BOMControl record with one click from saved links on the main Dashboard page.

Configurable reports - Specify complex criteria to filter, sort and download item data. Save and share report formats, and even allow modification at run-time.

Collaborative access - Work with your authorized partners and suppliers by granting them restricted access to item information and enable them to easily download current product information including items, BOMs, and files.

Help - A help system is available on every page.

Built-In Chat and Calls - Discuss product issues and changes with your local team or your global supply chain with Skype. See who is connected to the workspace at a glance.

Monday, May 14, 2012

Document Control System Implementation

Document control is revision control of documents, assigning and tracking documents numbers, change control management, assuring documents compliance, documents routing and tracking. It can also include Bill of Materials (BOM) and Approved Vendor List (AVL) management. Document control could either exist separately or could be a part of content management activities.

In companies, especially in regulated industries, there are document control people for performing document control functions separately. They do not have any functions related to content management. Document control is usually part of QA. It is mandated function in regulated industries. Document control is a part of ISO 9001 and GMP/GxP requirements.

The primary purpose of document control is to ensure that only current documents and not documents that have been superseded are used to perform work and that obsolete versions are removed. Document control also ensures that current documents are approved by the competent and responsible for the specific job persons and are distributed to the places where they are used.

How to implement the document control system and where to start? This is the subject of my today's post.

In order for your document control project to be successful, I recommend that you follow these steps in this specific order.

Select a System

Select an electronic system in which you are going to control your documents. If you already have a content management system in place, it could serve document control purpose as well. If you don't have a content management system, select a system specifically designed for document control. Most widely used and popular systems specifically designed for document control are Agile, Arena, and Omnify. If in future you decide to implement a content management system, you would be able to integrate it with your document control system.

Define Controlled Documents

Controlled document is any document that is used to perform work. Reference document is any document that is used for reference only and NOT to perform work. These documents must NOT be used to perform work.

Identify all your document types, for example specifications, drawings, schedules, meeting minutes, etc. Among these documents, identify which documents are going to be controlled documents and which are going to be reference documents.

Be careful about designating documents as controlled. Controlled documents must be approved by authorized approvers in order for them to be valid and to be able to use them. The author or modifier of a controlled document must get this document approved before it can be used to perform work. Each controlled document would need to have a number. All controlled documents must be accounted for, their distribution is strictly controlled. For this reason, choose your controlled document types with great care.

So, if a document so not need to be approved or their distribution is strictly controlled, make it a reference document. For example, if a document is going to be used for work and this work needs to be controlled as far as its quality and safety, then this document should be controlled.

Define Document Approvers

Define who in your staff is going to approve documents when they are going to be created or changed. Define the procedure for documents approval.

ECO Process

When a new document is created or a document is going through a change, Engineering Change Order (ECO) is used to document and approve the document creation or changes. It can also be called Engineering Change Notice (ECN) or Document Change Notice (DCN). ECO outlines the proposed change, lists the product or part(s) that would be affected and requests review and approval from the individuals who would be impacted or charged with implementing the change. ECOs are used to make modifications to components, assemblies, associated documentation and other types of documents.

The change process starts when someone identifies an issue that may need to be addressed with a change to the product. It ends when the agreed-upon change is implemented. ECOs are used in between to summarize the modifications, finalize the details, and obtain all necessary approvals. Every time a document is created or changed, ECO would need to be created and used to get this document approved.

You would need to assign a number to each ECO and if you are not using an electronic system for generating ECO or lists which could be used as ECO list, you would have to scan and upload ECO into your system.

Taxonomy

Every information system should include two access points to information: search function and browse function. Users use search function when they know exactly what they are looking for. Users use browse function when they do not know what they are looking for. Taxonomy needs to be created to accommodate the browse function in the system.

Users do not always know what they are looking for. In fact, in most cases, users do not know what they are looking for or they know it but are not able to find it using search. Users are going to look for ways to find documents. It is easy to find uncategorized documents when there are just few of them in the system. When there are many items in the system, it is going to be very difficult to find them.

Create taxonomy for your documents. Taxonomy should be validated in the user study and user side testing when necessary and adjusted as needed.

Metadata, Naming Conventions, Controlled Vocabulary

Metadata

Metadata values for documents need to be defined to accommodate the search function of documents in the system. Each document type should have metadata assigned to it. Metadata values would be the criteria that users need to use to search for documents.

The general system search will accommodate the full text search of content. This search would be sufficient when there are just few documents in the system. When there are many documents in the system, the general system search will retrieve a long list of irrelevant items. Users are not going to browse through long lists of items. To make the search precise, the presence of metadata is necessary. If metadata is present, the search can be performed using metadata rather than full text search.

Metadata should be validated in the user study and user side testing when necessary and adjusted as needed.

Naming Conventions

The role of naming conventions is very important in order for users to identify documents in the list without opening each one of them. Naming conventions should be created for each document type. Naming conventions should be validated in the user study and user side testing when necessary and adjusted as needed.

Controlled Vocabulary

Controlled vocabulary is the list of controlled terms that should be used for some of the metadata fields. These controlled terms should be standard terms used in standard publications, documents, majority of users, etc. Controlled vocabulary would help to ensure that metadata values are consistent. Consistent metadata will ensure high precision search.

Assure Documents Distribution

During this step, you need to make sure that everyone who needs the document gets a copy.

Distribution may be physical (paper documents) or electronic. When posting the document on intranet or other electronic systems, ensure that everybody who needs to have the new document knows about the posting (e.g. through an email or workflow notifications). When distribution is physical (paper documents), documents need to be stamped to identify that this is a controlled document and that a user of this document needs to verify that this is the most current version before starting work.

Controlled documents need to be watermarked so that if they are printed, users know that they need to verify their version before using them.

An inventory of controlled documents should be created with the exact location of each controlled document.

Remove Obsolete Documents

This is easy if you use an electronic documentation management system but is more complicated with hard copy documents. Each hard copy document must be replaced when it has been changed.

You may request the receiver of new documents to send back obsolete ones. If for some reason you need to retain obsolete versions of documents, they need to be marked to avoid unintended use. Many organizations use a stamp: "obsolete document".

Wednesday, February 15, 2012

Change Control in the Regulated Industries

In my last post, I described change control process in general and I mentioned that in the regulated industries, manufactures are required to use a change control procedures I am going to describe this change control procedure in this post.

A change control procedure is usually one of standard operating procedures (SOP's). It usually includes a change control form. Some companies also use change request forms for suggested changes. This procedure usually includes the following components:

Identification

The identification of the changed device, assembly, component, labeling, packaging, software, process, procedure, manufacturing material, and any other related item or document. The change control form has blank spaces for recording this data.

Effective Date

The effective date of the change which is usually a completion date, or an action to be performed when a specific event occurs, such as "implement the change when the new part is installed, validated, and operational." The blank on the change control form for recording the effective date should not be left empty.

Responsibility

The change procedure should state which department or designee is responsible for each function to be performed.

Revision Number

The change procedure should describe the way the revision level is to be incremented. It is common practice to use sequential numbers for revisions.

Communication

The change procedure should describe the communication of changes to all affected parties such as production, purchasing, contractors, suppliers, etc. As appropriate, the document might include activities that apply to internal operations. Examples are employee training, rework, or disposition of in-process assemblies, use of revised drawings and/or procedures, and disposition of old documents.

Updating Documentation

The change procedure should cover updating of primary and secondary documentation such as instruction manuals. Usually there are no problems with updating or revising primary documentation -- in fact, that is a major reason the given change order is being processed. In contrast, it is rather easy to forget that related secondary documents such as component drawings, instruction manuals or packaging require revision if affected by a given change. The use of a good change control form can alleviate this problem.

Documentation Distribution

Revised documentation should be distributed to persons responsible for the operations affected by the change and old documents removed and filed or discarded, as appropriate. After updated documents have been approved, these documents have to be made available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents have to be promptly removed from all points of use or otherwise prevented from unintended use.

Remedial Actions

Certain changes may require remedial action. Changes of this nature should be addressed in the change control procedure.

Regulatory Submissions

There may be changes may that require a regulatory submission. The change control procedure should specify if regulatory submissions should be considered when making a change.

Business Factors

The change procedure should also cover other factors such as financial impact, modification of sales literature, update of products in commercial distribution, etc.

Quality Assurance Review

The change procedure should cover if the quality assurance review is required for the change.

This change control procedure is also used for document control.

Changes to documents have to be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval of these documents unless there is a specific designation that states otherwise. These approved changes have to be communicated to the appropriate personnel in a timely manner. A company has to maintain records of changes to documents.

Change control for documents should include:
  • identification of the affected documents;
  • a description of the change;
  • revision number
  • the signature of the approving individual(s);
  • the approval date;
  • the date when the change becomes effective.
In a case of the regulatory agencies inspection, the change control procedure is usually audited.

Tuesday, February 14, 2012

Change Control

Change control within quality management systems (QMS) and information technology (IT) systems is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without analysis, introducing faults into the system or undoing changes made by other users of software.

The goals of a change control procedure include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing a change.

Change control is used in a wide variety of products and systems. For Information Technology (IT), it is a major aspect of the broader discipline of change management. Typical examples from the computer and network environments are patches to software products, installation of new operating systems, upgrades to network routing tables, or changes to the electrical power systems supporting such infrastructure.

Change control process can be described as the sequence of of six steps: record/classify, assess, plan, build/test, implement, close/gain acceptance.

Record/classify

A user initiates a change by making a formal request for something to be changed. The change control team then records and categorizes that request. This categorization would include estimates of importance, impact, and complexity.

Assess

Change control team makes an assessment typically by answering a set of questions concerning risk, both to the business and to the process, and follow this by making a judgment on who should carry out the change. If the change requires more than one type of assessment, the head of the change control team will consolidate them. Everyone with a stake in the change then meet to determine whether there is a business or technical justification for the change. The change is then sent to the delivery team for planning.

Plan

Management will assign the change to a specific delivery team, usually one with the specific role of carrying out this particular type of change. The team's first job is to plan the change in detail as well as construct a regression plan in case the change needs to be backed out.

Build/test

If all stakeholders agree with the plan, the delivery team will build the solution, which will then be tested. They will then seek approval and request a time and date to carry out the implementation phase.

Implement

All stakeholders must agree to a time, date and cost of the implementation of the change. Following the implementation, it is usual to carry out a post-implementation review which would take place at another stakeholders meeting.

Close/gain acceptance

When the user agrees that the change was implemented correctly, the change can be closed.

Change Control in a Regulatory Environment

In a Good Manufacturing Practice (GMP) or ISO 9001 regulated environment, change control activities and procedures apply to software, labeling and packaging, device manufacturing processes, production equipment, manufacturing materials, and all associated documentation such as quality system procedures, standard operating procedures, quality acceptance procedures, data forms, and product-specific documentation. Change control is also applied to any production aids such as photographs and models or samples of assemblies and finished devices.

Any regulated industry has a compilation of documents containing the procedures and specifications for a finished product. It includes specifications and all other documentation required to procure components and produce, label, test, package, install, and service a finished product. Manufacturers are to prepare, control changes to, and maintain these documents using change control procedure which is in fact the document control procedure.

In my next post, I will describe the change control procedure as it applies to documentation in a regulated industry.

Monday, January 9, 2012

Consequences of GxP/GMP for Information Technology

In my last post, I described the GMP requirements for document control. In this post, I am going to describe the GMP requirements for information technology used in a GMP company.

For a drug to be produced in a GxP compliant manner, some specific information technology practices must be followed. Computer systems involved in the development, manufacture, and sale of regulated product must meet certain requirements such as:
  • secure logging: each system activity must be registered, in particular what users of the system do, that relate to research, development and manufacturing. The logged information has to be secured appropriately so that it cannot be changed once logged, not even by an administrative user of the system;
  • auditing: an IT system must be able to provide conclusive evidence in litigation cases, to reconstruct the decisions and potential mistakes that were made in developing or manufacturing a medical device, drug or other regulated product;
  • keeping archives: relevant audit information must be kept for a set period. In certain countries, archives must be kept for several decades. Archived information is still subject to the same requirements, but its only purpose is to provided trusted evidence in litigation cases;
  • accountability: Every piece of audited information must have a known author who has signed into the system using an electronic signature. No actions are performed by anonymous individuals;
  • non-repudiation: audit information must be logged in a way that no user could say that the information is invalid, e.g. saying that someone could have tampered with the information. One way of assuring this is the use of digital signatures.
GMP guidelines require that software programs must be validated by adequate and documented testing. Validation is defined as the documented act of demonstrating that a procedure, process, and activity will consistently lead to the expected results. The software validation guideline states: “The software development process should be sufficiently well planned, controlled, and documented to detect and correct unexpected results from software changes."

To validate software, it must be:
  • structured, documented, and evaluated as it is developed;
  • checked to make sure that it meets specifications;
  • adequately tested with the assigned hardware systems;
  • operated under varied conditions by the intended operators or persons of like training to assure that it will perform consistently and correctly.
It is important to notice these requirements since a document management system is required to control documents, so this document management system must meet these requirements for information technology.

Friday, January 6, 2012

GxP/GMP and Document Control

In the regulated environment, the document control is the cornerstone of the quality system. It is so important that if an external audit identifies deficiencies in the document control system, the entire organization can be shut down.

In my last post, I talked about the connection between ISO 9001 and document control. ISO 9001 is one example of the regulated environment. It is usually used in engineering types of companies. In food, drugs, medical devices, and cosmetics industries, GxP/GMP regulations are used. Today, I am going to talk about the connection between GxP/GMP and document control.

GxP is a general term for Good Practice quality guidelines and regulations. The titles of these good practice guidelines usually begin with "Good" and end in "Practice", with the specific practice descriptor in between. GxP represents the abbreviations of these titles, where x (a common symbol for a variable) represents the specific descriptor.

For example: Good Clinical Practice (GCP), Good Laboratory Practice (GLP), Good Manufacturing Practice (GMP), Good Safety Practice (GSP), and many others.

A "c" or "C" is sometimes added to the front of the acronym. The preceding "c" stands for "current." For example, cGMP is an acronym for "current Good Manufacturing Practice." The term GxP is only used in a casual manner, to refer in a general way to a collection of quality guidelines.

The purpose of the GxP quality guidelines is to ensure that a product is safe and meets its intended use. GxP guides quality manufacture in regulated industries such as food, drugs, medical devices, and cosmetics.

The most central aspects of GxP are traceability - the ability to reconstruct the development history of a drug or medical device and accountability - the ability to resolve who has contributed what to the development and when.

GMP is the most well known example of a GxP.

Good Manufacturing Practice (GMP) are practices and the systems required to be adapted in pharmaceutical and medical devices companies. GMP is the guidance that outlines the aspects of production and testing that can impact the quality of a product.

Many countries have legislated that pharmaceutical and medical device companies must follow GMP procedures, and have created their own GMP guidelines that correspond with their legislation. Basic concepts of all of these guidelines remain more or less similar to the ultimate goals of safeguarding the health of the patient as well as producing good quality medicine, medical devices, or active pharmaceutical products.

In the U.S. a drug may be deemed adulterated if it passes all of the specifications tests but is found to be manufactured in a condition which violates current good manufacturing guidelines. Therefore, complying with GMP is a mandatory aspect in pharmaceutical and medical devices manufacturing.

Documentation is a critical tool for ensuring GxP/GMP compliance.

This is what GMP states about document control:

Each manufacturer shall establish and maintain procedures to control all documents that are required. The procedures shall provide for the following:

1. Document approval and distribution. Each manufacturer shall designate an individual(s) to review for adequacy and approve prior to issuance all documents. The approval, including the date and signature of the individual(s) approving the document, shall be documented. Documents shall be available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents shall be promptly removed from all points of use or otherwise prevented from unintended use.

2. Document changes. Changes to documents shall be reviewed and approved by an individual(s) in the same function or organization that performed the review and approval of original documents, unless specifically designated otherwise. Approved changes shall be communicated to the appropriate personnel in a timely manner. Each manufacturer shall maintain records of changes to documents. Change records shall include a description of the change, identification of the affected documents, the signature of the approving individual(s), the approval date, and when the change becomes effective.

These requirements are consistent with document control requirements stated in ISO 9001 which I described in my previous post.

The role of QA, in regards to the document system, is one of management and overview. QA ensures that all documents are maintained in a controlled fashion and that all procedures are being used within a company are approved by the appropriate subject matter experts, are consistent with other documents, and are the most current version. One way that QA ensures this is by being the last signature on all approved documents. All documents; current, obsolete, superseded, as well as all the history on the creation and revision of the document are kept in Quality Assurance.

These are the steps of the document control procedure:

Creation

Any knowledgeable employee should be able to write or revise documents as needed.

Revising

When revising a document the redline changes along with detailed justification of the changes should be routed.

Routing

The document control function of QA is responsible for routing documents for review and approval. It is suggested that a pre-route be done to ensure that all affected parties are in agreement with the document before it is submitted to QA. There should be a documented process detailing how documents are submitted for review and approval.

A controlled form listing all the changes made to the document, justification for the changes, and a list of personnel who need to review the document needs to be routed along with the document. At a minimum the author’s manager, all affected department heads, and QA need to review the document. Other Subject Matter Experts can be included.

Approval

Once all affected parties have agreed to the changes, document control will prepare the document for approval. All changes will be incorporated into the document. For new documents the version # will be 00. For each revision of a document the version number will increase (01, 02, 03, etc). A master document will be routed for approval signatures.

Typically the approval signatures are the Author, the Department Head, and QA. QA must be the last signature on all documents. Usually the approval signatures only appear on the first page of the document. Once the master document has been signed, and effective date is stamped onto each page of the document. The effective date must be far enough in advance to allow for the document to be trained on before it becomes effective (typically this is 5 days).

Distributing

On the effective day copies of the signed master document are routed to the affected departments. The departments will remove the old version and replace it the new version (for revised documents). If the document is new, there will be no replacement document to remove.

The old versions must be returned to document control. On a periodic basis document control personnel should audit the binders to determine if they contain the correct versions. Each document binder should contain a table of contents and only those documents that the department is responsible for. A full set of all approved documents should be in the QA department as well as in a central company location.

Archiving

Old revisions of documents will be stamped as superseded. No document revisions will be discarded or altered. A file will be maintained within QA that contains all the superseded documents and the signature approvals of personnel who agreed to the revisions.

Obsolete

If a document will no longer be used by any department in the company it can become obsolete. The document must be stamped as Obsolete and all copies removed from all document binders. It is a good idea to place a notice in the document stating that the document has been Obsolete.

Good manufacturing practice (GMP) regulations require that all documentation be issued, managed and controlled using a document management system.

In my future posts, I will further describe GMP regulations pertaining to documentation and documentation management systems.

Thursday, January 5, 2012

ISO 9001 and Document Control

ISO 9001 specifies requirements for a Quality Management System (QMS) where an organization needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements.

An organization is required to establish, document, implement, and maintain a quality management system and continually improve its effectiveness.

A cornerstone of the QMS is document control. Therefore, in order for an organization to meet ISO 9001 requirements, it must have a document control system in place. Auditors pay particular attention to document control.

Document control is an essential preventive measure ensuring that only approved, current documents are used throughout the organization. Inadvertent use of out-of-date documents or not approved documents can have significant negative consequences on quality, costs, and customer satisfaction.

What is Controlled Document?

Let's define controlled documents. Controlled document is any document that is used to perform work and not for reference. Furthermore, ISO 9001 states that documents required by the QMS should be controlled.

The QMS includes the following documents: statements of quality policy and quality objectives, quality manual, procedures, and records determined by the organization to be necessary to ensure the effective planning, operation, and control of its processes.

The format and structure of the quality policy, quality objectives, and quality manual is a decision for each organization, and will depend on the organization’s size, culture and complexity.

A small organization may find it appropriate to include the description of its entire QMS within a single manual, including all the documented procedures required by the standard. Large, multi-national organizations may need several manuals at the global, national or regional level, and a more complex hierarchy of documentation.

ISO 9001 specifically requires the organization to have documented procedures for the following six activities:

1. Control of documents

2. Control of records

3. Internal audit

4. Control of nonconforming product

5. Corrective action

6. Preventive action

Some organizations may find it convenient to combine the procedure for several activities into a single documented procedure (for example, corrective action and preventive action). Others may choose to document a given activity by using more than one documented procedure (for example, internal audits). Both are acceptable.

Some organizations (particularly larger organizations, or those with more complex processes) may require additional documented procedures (particularly those relating to product realization processes) to implement an effective QMS.

Other organizations may require additional procedures, but the size and/or culture of the organization could enable them to be effectively implemented without necessarily being documented. However, in order to demonstrate compliance with ISO 9001, the organization has to be able to provide objective evidence that its QMS has been effectively implemented.

The typical controlled document types include:
  • policies - the company’s position or intention for its operation;
  • procedures - responsibilities and processes for how the company operates to comply with its policies;
  • work and/or test instructions - step-by-step instructions for a specific job or task;
  • forms and records - recorded information demonstrating compliance with documented requirements;
  • drawings - those that are issued for work;
  • process maps, process flow charts, and/or process descriptions;
  • specifications;
  • internal communication;
  • production schedules;
  • approved supplier lists;
  • test and inspection plans;
  • quality plans.
The type and extent of the documentation will depend on the nature of the organization’s products and processes, the degree of formality of communication systems and the level of communication skills within the organization, and the organizational culture.

Document Control Procedure

ISO 9001 states that the procedure for document control should be established which should include the following:

1. To approve documents for adequacy prior to issue.

Document approvals are mandatory and must be kept as a record as well. When determining who should approve a particular document, limit approvals to those with direct knowledge or responsibility for the document.

Approval signatures must be recorded prior to the release and use of the document. Approvals may be in the form of a written signature or a password-protected electronic approval record. The date of all approvals must precede the document's release date.

While not explicitly stated, this requirement also applies to temporary memos or postings that are used to communicate QMS or product-related requirements. Any temporary documents must be clearly identified, signed and dated. It is advisable to include an expiration date on temporary documents to ensure they are removed from use when intended.

2. To review and update as necessary and re-approve documents.

All documents must be reviewed periodically and updated and re-approved if needed. This review can be tied to a company's internal audit process, management review or scheduled on some periodic (annual) basis. A record of such reviews must be kept.

3. To ensure that changes and the current revision status of documents are identified.

When a document is updated, a record must be kept of the change, including the reasons for and nature of the change. In addition, current revision status must be maintained. This includes the current development stage (draft, review, approval, etc.) and the date or revision level (number or letter) identifying the current version of the document.

4. To ensure that relevant versions of applicable documents are available at points of use.

The storage and access of documents must easily allow individuals to find the appropriate version of a document to use where needed. Older versions of a document that are still needed (e.g. specifications for an older product) may remain active if necessary, but the revision level must be made clear.

You should consider where designated controlled locations of your documents will be established and whether short-term reference copies of controlled documents will be permitted. Typically, the easier it is for employees to access controlled copies when needed, the fewer times they will feel the need to use an uncontrolled copy of a document. Ensuring timely and convenient access to documents is frequently the source of high costs and repeated discrepancies.

5. To ensure that documents remain legible and readily identifiable.

The format and storage of documents must protect a document from being rendered unreadable due to wear or damage and that every document can be clearly identified through a title, document number or other suitable identification.

6. To ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled.

Documents that do not originate within the organization, but are necessary for ensuring quality and meeting customer requirements must also be controlled. These can include customer, supplier or industry documents. However, the extent of control is limited to clear identification and controlled distribution. A log or other record would suffice to track external documents.

7. To prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

Out-of-date documents or older versions of revised documents must be protected from unintentional use. This usually requires segregation or disposal of obsolete documents. Any obsolete documents that are kept for reference or other purposes must be clearly identified through markings, separate storage areas, or other means.

Controlled documents need to be clearly identified. Hard copy documents need to be stamped. Electronic documents need to be watermarked so that when they are printed, they could be identified that they are controlled documents and a user needs to verify an electronic version prior to use of this document.

Main Objectives

These are some of the main objectives of an organization’s documentation system:

1. Communication of Information

Documentation is viewed as a tool for information transmission and communication.

2. Evidence of conformity

Documentation is viewed as provision of evidence that what was planned, has actually been done.

3. Knowledge sharing

Documentation is used to disseminate and preserve the organization’s experiences. A typical example would be a technical specification, which can be used as a base for design and development of a new product.

Measuring Success

How can you measure the performance of your document control process? Here are some suggested metrics:

User satisfaction – Periodically survey your employees regarding the usability of your documentation. Use the results to improve the format of your documents and training of your authors.

Document errors – Track the number of document revisions due to information mistakes in your documentation. Results will often reveal weaknesses in your review and proofreading processes.

Up-to-date – Count the number of document revisions or audit discrepancies stemming from a document that is out-of-date. This will tell you whether your periodic document reviews or obsolete document provisions are effective.

Cycle time – Measure the time it takes a document to be developed or revised from initial draft to release. Work to improve the efficiency of your document control process as you would any other business process.

Cost – Consider tracking the costs associated with your documentation including developing, revising, storing, retrieving, distributing, filing, auditing, reviewing, approving, etc. Of these potential costs, document retrieval is often an expensive hidden cost generated when individuals must search endlessly for a document because of inadequate indexing, organization, storage or training.

Results of the performance measures of your document control process can help you determine how to drive continual improvements into your entire QMS.

In my next posts I will describe electronic systems that are used for document control.

Wednesday, December 7, 2011

Engineering Change Process

Let's look at the engineering change process and how Engineering Change Order (ECO) is used in this process.

The stages of the engineering change process are:

1. Issue identification & scoping:

Someone identifies a problem or issue and determines that it may require a change. The scope of the issue and its possible impact are estimated.

2. ECR creation:

An engineering change request (ECR) is created to examine the necessity and feasibility of the change, to identify parts, components and documentation that might be affected, to estimate costs and to list the resources required to implement the change.

3. ECR review:

The ECR is circulated for review and discussion among key stakeholders and is modified as needed.

4. ECO creation:

Once the ECR is approved, an engineering change order (ECO) is generated, which lists the items, assemblies and documentation being changed and includes any updated drawings, CAD files, standard operating procedures (SOPs) or manufacturing work instructions (MWIs) required to make a decision about the change.

5. ECO review: The ECO is then circulated to a change review board made up of all stakeholders (including external partners when appropriate) who need to approve the change.

6. ECN circulation:

Once the ECO has been approved, an engineering change notification/notice (ECN) is sent to affected individuals to let them know that the ECO has been approved and the change should now be implemented.

7. Change implementation:

Those responsible for implementation use the information in the ECO and ECN to make the requested change. While an engineering change order is used for changes that are executed by engineering, other types of change orders may be used by other departments. These include the:

• Manufacturing change order (MCO) — A change order describing modifications to the manufacturing process or equipment.

• Document change order (DCO) — A change order detailing modifications to documents, specifications or SOPs.

ECO benefits

While you may groan at the prospect of pulling together another set of documentation, an ECO is a critical part of keeping product development on track and making sure product information is accurate. A good ECO contains the full description, analysis, cost and impact of a change, and a good ECO process ensures that all stakeholders have bought in to the change. Having an organized method of handling product changes reduces potential design, manufacturing and inventory errors, minimizes development delays and makes it easy to get input from different departments, key suppliers and contract manufacturers.

Following good ECO practices also makes it easy to document a full history of what changes have been made to a product and when they occurred. In industries with regulatory requirements, like the medical device industry, having a full history of every change to a product is mandatory. Depending on the industry, change orders and even the change process itself may be audited by a regulatory body. Keeping a record of product changes will also help you debug any problems that occur after your product launches. The task of identifying and fixing the root cause of any problem is easier when you have a complete product change history.

Without a clear ECO process in place, making a change to a product can set off a chain of costly, time-consuming and avoidable events. Take a part switch that happens late in the development process. Engineering may tell manufacturing to be aware of the new part, but if that information is never conveyed to the purchasing department, the old part will be ordered. When the components arrive, manufacturing will not be able to assemble the product, and its launch will be delayed until the new part is obtained (most likely with some rush charges incurred along the way).

Engineering change orders make it possible to accurately identify, address and implement product changes while keeping all key stakeholders in the loop and maintaining a historical record of your product. Without them, miscommunications occur that lead to delays, incorrect purchase orders and improper product builds.

Companies need to be able to adapt quickly in today’s constantly changing environment, and often that means making changes to their products. Engineers make modifications during development and production with the intent of adding functionality, improving manufacturing performance or addressing the availability of a particular part.

To make sure proposed changes are appropriately reviewed, a solid process is critical, especially if members of your product team are scattered across multiple locations (for instance, design engineers in Boston, the manufacturing team in St. Louis and component manufacturers all over the world). At the heart of a solid change process is the engineering change order.

Engineering Change Orders: Paper-Based vs. Electronic Documentation Systems


Managing Paper ECO
Managing Electronic ECO
Cycle Time
·         ECO is generally reviewed one person at a time.
·         If multiple copies are distributed, edits must be consolidated and reviewed again.
·         Paper ECO can be misplaced ECO review can be a long process (weeks).
·         ECO can be reviewed by many people  at  once.
·         All edits are made to a single version, so no consolidation is needed.
·         ECO is always available online.ECO review is significantly shorter process (days).
Signature Process
·         Early approvers won’t be aware of edits, necessitating additional rounds of review.
·         Official approval disappears if the ECO file is lost.
·         Harder to maintain clean, complete history of changes.

·         All approvers sign off on the same set of documentation.
·         Electronic signature is 21 CFR part 11 compliant, a requirement for the medical device industry.
·         Automatic maintenance of clean history for audits.
Issue Resolution
·         Individuals need to be tracked down to resolve problems.
·         May need to wait for change control review board meeting to connect with other approvers.
·         People’s comments can be viewed, so hold-ups can be quickly resolved
·         Can easily see who hasn’t signed and request approval electronically.
Package Format
·         Large paper file of documents and drawings must be printed.
·         Tedious and labor-intensive to pull together information from many locations.
·         Electronic documentation is environmentally friendly.
·         Easy to create and access ECO when managed in the same system as underlying product information.