Qualio launches new validation approach
Qualio provides software designed to operate in regulated, GxP life science environments.
Validation of our software is therefore a key regulatory requirement for both us and our customers to meet.
The latest industry guidelines, and the broad shift to an assurance focus, encourage software vendors to do the bulk of the heavy lifting themselves, freeing their customers to focus on a sensible, efficient, risk-based and ‘least burdensome’ assessment of the software systems they’re onboarding.
Qualio has absorbed and applied this best practice to offer our customers a brand new software assurance approach that's compliant, gets your system up and running quickly, and doesn’t involve weeks of work or mountains of paper.
Why have we updated our approach?
Qualio commits to keeping constantly aligned with industry best practice and the latest guidelines.
And since the general direction of the industry is that of reducing the burden and effort of software validation for regulated companies, keeping up with best practice allows us to offer the best possible experience for our customers.
Qualio's GAMP category
Because of the levels of configuration built into the Events, Design Controls and Suppliers functionality of the system, Qualio falls into GAMP Category 4 as a configured software product.
It therefore sits between the risk and assurance levels of Category 3, fixed off-the-shelf software, and Category 5, customizable software requiring deep levels of coding.
The Second Edition of GAMP 5, released in July 2022, offers a risk-based model for Category 4 product onboarding as follows:
Qualio's new assurance approach
Modern computer system assurance is a shared exercise, with most of the work being performed by Qualio as your system vendor.
Qualio's responsibility is to prove that the software we provide is robust, effective, operational, and frequently tested.
We therefore document the requirements and test activities of our system using a typical SaaS development methodology, and share this with you for determining Qualio’s suitability for your intended use.
The customer doesn't need to generate documents for user needs, functions, or testing of those needs. These are all covered and documented as part of Qualio’s ISO 9001-certified quality management system.
The customer's responsibility is to understand your business processes and identify the key areas of concern where Qualio will touch, impact and transform these processes.
Qualio provides customers with templates to assist in this work, allowing you to focus solely on managing and testing your configuration as required by your unique risk profile.
Our end-to-end assurance approach looks like this:
1. Supplier qualification
- Qualifying Qualio as your SaaS eQMS vendor of choice. We maintain certification for both ISO 9001 and 27001 to demonstrate our commitment to our customers and to a robust, optimized quality management system. We are happy to host a remote audit of our QMS for new customers, and annually thereafter if required.
2. Planning
- Laying out the plan and approach to the overall computer software assurance activities to be managed
- Defining the responsibilities of both customer and Qualio
3. Business requirements and risk assessment
- Risk assessment of your business processes is recommended to help you scope any additional testing activities you may undertake
- Qualio system activity like document control, training, CAPAs and supplier management do not generally have any direct impact to product quality or patient safety. With that in mind, it’s your responsibility to pinpoint and work on any system processes you deem to be higher risk
4. Requirements, testing & traceability matrix
- User requirements, functions built to meet those requirements, and tests executed to demonstrate meeting of requirements are all established in Qualio’s software development lifecycle (SDLC) process and fully documented to make the entire process visible to our customers.
- This testing covers the software as built. You should determine, through your own business process documentation and risk assessment, if any configurations require any further testing
- Qualio provides a bundle of validation documentation to you to accelerate this process and give you objective evidence of Qualio’s integrity and suitability for purpose:
5. System configuration
- Receive a template to get you started on documenting the configuration of your instance. This becomes the baseline for change management for your instance going forward. The Qualio team will help you with this during your onboarding.
6. Validation Summary Report (VSR)
- Summarizes the entire validation effort and your system’s suitability for use
Re-assurance
Qualio owns the software.
You own the configuration and the data within.
Qualio will test every new change to the system before it is released to the customer, and document it in our impacted feature test documentation. These changes are then shared with the customer, before or as they happen, depending on the scope of the change.
As we've already seen, the customer's job is to assess the impact of that change to their configuration and to their documented business processes.
You may need to update your documents, and, if you previously chose to perform any configuration specific testing, you may need to assess the impact to that testing and decide if you need to test again.
However, the vast majority of Qualio system changes are small, incremental feature enhancements. We do this to limit the impact to our software and ultimately to minimize the ongoing re-assurance burden passed onto you, the customer.
FAQs
If Qualio tests the software as part of its own quality management activities, does that mean I don’t need to test it myself as part of our validation activities?
Qualio is a web-based, multi-tenant system that runs identically for all customers. It would therefore only be a waste of your time to repeat the functional tests already performed and documented by Qualio with tools like CircleCI and GitHub.
One customer expressed it like this: if you bought a piece of manufacturing equipment that had already passed through factory acceptance testing, there would be no need to immediately retest it yourself.
The only testing required by you comes from the specific system configurations you build into Qualio, and how they might impact on your business processes and, by extension, the safety of your products and patients.
Regulators like the FDA encourage a critical thinking- and risk-based approach to testing, so it’s appropriate to the business-specific risks you identify, and isn’t overly excessive or burdensome.
Why does Qualio require less rigorous assurance activity than other systems?
An eQMS is an example of low-risk, non-product software with no direct impact on patient safety, product quality, or the integrity of the data underpinning these areas.
Your auditors will expect your assurance activity to be focused proportionately based on the systems you’re using, and an eQMS naturally demands less rigorous assurance than a high-risk system for these reasons.
Qualio used to be GAMP Category 3. What changed?
When Qualio was a document and training platform with no configuration possibilities, it fell into Category 3.
The evolution of Qualio into a flexible, scalable quality management platform for managing quality events, medical device design controls and suppliers naturally upgraded the product to Category 4.
Although this new layer of configuration demands some critical thinking and risk assessment from customers, the low-risk nature of an eQMS (as above) means there's no reason this should be burdensome, time-consuming or painful.
Plus, the powerful business benefits of a flexible Category 4 eQMS more than outweigh any extra assurance demands!
A Qualio competitor is offering IQ, OQ and PQ documentation as part of their validation approach. Why aren’t you? Are you less compliant?
No!
Any modern software vendor providing IQ, OQ and PQ documentation as standard is simply sticking to 20-year-old outdated validation practice.
Both FDA CSA and ISPE GAMP guidance have now diverged from this approach, understanding that ‘linear’ documentation like IQs, OQs and PQs doesn’t reflect the non-linear, agile nature of modern software development.
Simply put: a vendor pushing this approach is only interested in appeasing customers worried about ticking old boxes – and not interested in offering a modern, streamlined and least burdensome approach for their customers.
Why is your process better than the old methodology of IQs, OQs and PQs?
The foundation of modern CSA is demonstrating that the system meets your requirements for intended use with a minimum of burden and effort.
With that as the basis, you’re proving that the system meets the requirements defined during its inception and in subsequent updates.
Qualio's mapping of the traceability of requirements to functions to testing (which is what we used to do with IQs, OQs and PQs) proves our system is suitable for use by leveraging our software development lifecycle process.
From there, you then configure the system to meet your needs and manage the configuration.
Our partnership as your eQMS vendor ensures we are managing the system for you as the experts.
And ditching time-heavy documents like IQs, OQs and PQs scrubs 2 weeks from our old setup timeframe and lets you start extracting value from Qualio even more quickly.
That’s why our work wins awards for ease and speed of set-up and our ‘go live’ time is around 50% faster than our competitors!
How will you support me if I’d like to do the validation myself instead of accepting your tests?
Qualio provides test scripts and documentation on requirements for the system, and you can format them as your company or your policies require.
I’ve been used to IQs, OQs and PQs my whole career. Can you give those to me?
Qualio provides test scripts and documentation on requirements for the system, and you can format them as your company and your policies require.
We also provide a template for customers who require performance qualification. For example, customers may want to PQ their complaint workflow in Qualio’s Events area, because this activity can impact patient safety.
However, as we’ve seen, customers are responsible for configuring, documenting and testing system workflows themselves.
I don’t believe regulators will accept this approach. How do you know they will?
Not only is the Qualio team highly experienced in modern quality and compliance, we aren’t afraid of listening to industry experts and third parties to keep our approach aligned with the latest trends and expectations.
We asked Sion Wyn, editor of GAMP 5, FDA advisor and a leading expert on computerized system compliance, to interrogate our software assurance approach and advise us on the direction of travel from the FDA and ISPE.
You can hear Sion’s thoughts on our assurance approach here.
And you can read our breakdown guide of all the threads of modern computerized system compliance, and why we do what we do, here.