Quality Management System in regulated industries are taking to the cloud

quality management systemsQuality Management System software providers have matured in recent years, with an increasing number entering the Pharmaceutical and Medical Device industries and marketing themselves as 21 CFR Part 11 and ISO 9001 compliant.

The fact is that QMS software providers have all gone to the cloud with many offering a purely web-based service. Only a minority are still offering the option of an entirely local installation.

However, taking a paper-based or a local server QMS system to a completely cloud-based format is still a daunting proposition for many organisations.

While the thought of having your sensitive QMS documentation stored on a server in Alaska may give you chills, the services are robust and are considered a net improvement over traditional storage services.

Do the benefits outweigh the risks?

quality management systems in regulated industriesThe question of whether to take the leap has been of concern to PharmOut’s small to medium sized clientele. The larger market players, in-order to stay ahead of the increasing burden placed on their quality systems by regulators, have necessarily begun to commit to the cloud.

The QMS services on the market are normally partnered with an independent secure cloud service provider such as Microsoft’s Azure or Amazon’s AWS platforms. These services provide the Quality Management Systems software client with data storage on their platform, operating on a Virtual Private Network (VPN) for additional security. Cloud platforms have been providing their secure data storage and communication services to regulated applications in the military and finance for many years prior to entering the GxP space. As such the technology has proven itself reliable.

It is however, still incumbent on the purchaser to do their due diligence when selecting a QMS provider to ensure the cloud service platform is secure.

These cloud storage suppliers can be considered in similar way to any other Platform as a Service (PaaS) and should be supplier audited in a similar fashion. You can and should leverage the QMS service provider’s own auditing of their cloud platform.

It is critical that the vendor can supply a Service Level Agreement (SLA) that meets your data integrity requirements.

How to choose a new Quality Management System

With so many QMS service products on the market where do you even start?

The market leaders are the likes of Sparta Systems, Master Control and Veeva to name a few. Other smaller providers are available such as Qiksolve, Qualio and Qualityze.

Whatever you choose to go with, ensure that the following are covered by the service:

  • Audits
  • Complaints
  • Risk Management
  • CAPA’s
  • SOP’s
  • Training

If any of these aren’t included in your QMS, they will need to be covered by another system. You will then have multiple competing systems on-site, which is bound to lead to confusion and an increased risk of errors.

Depending on the provider, some of these features may be separated off in variations of the service structure which may need to be purchased separately. Although the expectation is to purchase the service as a suite. Some features such as clinical trials management may not even be relevant to your process.

The other major deciding factors in purchasing an eQMS apart from your budget will be:

  • The number of staff that will need to access the client
  • The required storage capacity of the system
  • The extent of customisation required by your processes
  • The level of reporting detail required

Beyond the scope of QMS, there may be the option to include other systems such as validation, laboratory and building management systems depending on the depth of the service platform.

How to go about qualifying a QMS

There isn’t necessarily any requirement to qualify the QMS client and the cloud storage service separately as both are integral components of the package. It should be sufficient to qualify the two services as a single entity.

Web-based QMS packages are normally designated as GAMP 5 Category 4, which means standard, off-the-shelf, but highly configurable. The amount of configuration required depends on the size and complexity of the organisation using it and the how well the QMS provider is aligned toward your industry.

Due to the Software as a Service (SaaS) nature of a web-based QMS and being persistently online, there is nothing necessarily to “install”. The bulk of the qualification effort goes to confirming the service is configured correctly and performs appropriately.

Key data integrity points to focus on are:

  • Backup and restore,
  • Electronic Records/Electronic Signatures,
  • Audit trail functionality
  • User Management
  • Revision Control.

The provider will often offer a validation package for an additional fee. However, it is always up to the purchaser to ensure the work sufficiently meets theirs and the regulators’ requirements.

The following qualification items should be considered:

  • User Requirement Specification / Functional Specification
  • Functional Risk Assessment
  • Software Configuration Specification
  • Performance Qualification
  • Traceability Matrix
  • Data Migration Plan

The data migration plan is required if you already have a QMS in place. It involves integrating active components of your current QMS to the new system.

In most instances, the old QMS will run in read only mode after the new system is commissioned. Only active CC/CAPAs are migrated to the new QMS. The old system is kept as a legacy QMS for record purposes.

Once the handover is complete and validated, your new cloud QMS service will be the only source of your QMS records from that point forward. You will need to ensure your quality department is appropriately trained in its use.

Want more?

If you found this interesting, you may also like to check out the following blogs: