IT owning CSV program with little to no QA involvement

C

CastorTroy

Registered
Hello - I started a new role in QA at a pharma company and my first task is to assess the current state of the CSV program, including CSV change control. In this org, IT owns and manages the CSV program, and all changes to systems both GxP and non-GxP, with very little oversight by QA. In addition, IT uses a popular tool like ServiceNow to manage change control which is not validated, even though there is an eQMS change control software that is validated. IT seems to have the power and no one from QA has challenged them.

How can I approach this from a risk standpoint, specifically, which regs/standards this would be in violation of? I am trying to move forward in an objective manner and to be proactive towards shifting this process to QA, and use kid gloves considering there are some strong desires from IT to leave things as-is.

Any help would be greatly appreciated.
 
Y

yodon

Leader
Super Moderator
Instead of trying to wrestle (with kid gloves) control from them, why not just work with them to align things within the current framework?

Do you have an internal audit program? At least point out where there may be deficiencies and work with them to correct.
 
C

CastorTroy

Registered
yodon said:
Instead of trying to wrestle (with kid gloves) control from them, why not just work with them to align things within the current framework?

Do you have an internal audit program? At least point out where there may be deficiencies and work with them to correct.
Click to expand...

I appreciate your perspective.
 
T

Tidge

Trusted Information Resource
CastorTroy said:
How can I approach this from a risk standpoint, specifically, which regs/standards this would be in violation of? I am trying to move forward in an objective manner and to be proactive towards shifting this process to QA, and use kid gloves considering there are some strong desires from IT to leave things as-is.
Click to expand...
I'll offer some suggestions, although I don't like the origin of this question; I don't mean this to be personal: It sounds like a case of "I know they are doing something wrong, I just don't know what."

CS Validation (or Assurance, in some areas) is a regulatory necessity only when the CS has been delegated some responsibility as spelled out in the regulations. Some common areas of regulatory responsibility where CS are used include:
  • Production controls/testing (e.g. using computerized systems to control batch production in pharma)
  • Calibrations and Equipment Maintenance
  • Management of Records (storage, revision)
There may be others depending on the industry. Additionally: Many regulated industries may have special regulatory requirements around electronic approvals of records... but approvals themselves are "adjacent" to the other regulations. In other words, for a particular set of US regulations: 21 CFR Part 11 describes necessary characteristics of electronic records/signatures if they are used... it is all about necessary implementation details and not necessarily foundational. But I digress.

I would NOT be so quick to shift this to QA, depending on the nature of the systems and how those systems are used in the business... no matter the industry. I was in the QA Non-Product Software space for years... so it isn't as if I can't see the sharp edges, and I don't want to downplay CSA/CSV as non-serious. I will write this: In my industry I never had an actual regulatory reviewer or auditor ever ask about the validated state of a computer system; they usually ask something like "what do you use?" and that was the totality of their ask. I hold onto my bitterness due to a series of 3rd parties that nurtured panic (and collected $millions) for no-value added work in the area of NPS validation.

If the system is working, and is not causing issues... I wouldn't go looking for trouble(*1).

Typically the shortcomings of having an IT team having most of the responsibility are:
  • They often don't make changes in anything like a controlled way... sometimes not even in a planned way!
  • They don't have a complete view of how the CS is actually fulfilling a regulatory requirement.
Typically the shortcomings of have a QA team having most of the responsibility:
  • QA teams tend to approach NPS validation/assurance as "paperwork is queen"
  • QA teams often default into "only knowing as much about a system as they want to know"... that is "I'm just Quality, someone else knows the answer."
(*1) There are some low-intensity efforts that could be done if they are not currently done. Without knowing the details of how CS is used in your pharma company I hesitate to make any detailed suggestions.
 
Bev D

Bev D

Heretical Statistician
Leader
Super Moderator
In my experience the real issue here is arrogance and confirmation bias. IT often feels like they are (1) infallible and (2) the real experts on whatever process they are automating. Of course they are just as fallible as anyone else…In a mature organization they are not the experts and they shouldn’t be; they should be experts in IT/programming. Being the expert in two areas is very rare. But of course QA often fails in at least three areas: (1) they aren’t the experts in the processes being automated, (2) they aren’t experts in software and (3) they aren’t the experts in validation. They are too often the experts in drowning by paper…

This isn’t an issue of who owns “change control” which is often just a paperwork exercise. It is an issue of effective validation of software changes that meet the process need. The best choice for owners of who drive that validation are the owners of the process being validated. Unless of course they are not experts in their own processes - in which case you have bigger problems.

In the end business is a team sport. It isn’t golf or tennis. TEAM means IT, QA AND Process
 
C

CastorTroy

Registered
Tidge said:
I'll offer some suggestions, although I don't like the origin of this question; I don't mean this to be personal: It sounds like a case of "I know they are doing something wrong, I just don't know what."

CS Validation (or Assurance, in some areas) is a regulatory necessity only when the CS has been delegated some responsibility as spelled out in the regulations. Some common areas of regulatory responsibility where CS are used include:
  • Production controls/testing (e.g. using computerized systems to control batch production in pharma)
  • Calibrations and Equipment Maintenance
  • Management of Records (storage, revision)
There may be others depending on the industry. Additionally: Many regulated industries may have special regulatory requirements around electronic approvals of records... but approvals themselves are "adjacent" to the other regulations. In other words, for a particular set of US regulations: 21 CFR Part 11 describes necessary characteristics of electronic records/signatures if they are used... it is all about necessary implementation details and not necessarily foundational. But I digress.

I would NOT be so quick to shift this to QA, depending on the nature of the systems and how those systems are used in the business... no matter the industry. I was in the QA Non-Product Software space for years... so it isn't as if I can't see the sharp edges, and I don't want to downplay CSA/CSV as non-serious. I will write this: In my industry I never had an actual regulatory reviewer or auditor ever ask about the validated state of a computer system; they usually ask something like "what do you use?" and that was the totality of their ask. I hold onto my bitterness due to a series of 3rd parties that nurtured panic (and collected $millions) for no-value added work in the area of NPS validation.

If the system is working, and is not causing issues... I wouldn't go looking for trouble(*1).

Typically the shortcomings of having an IT team having most of the responsibility are:
  • They often don't make changes in anything like a controlled way... sometimes not even in a planned way!
  • They don't have a complete view of how the CS is actually fulfilling a regulatory requirement.
Typically the shortcomings of have a QA team having most of the responsibility:
  • QA teams tend to approach NPS validation/assurance as "paperwork is queen"
  • QA teams often default into "only knowing as much about a system as they want to know"... that is "I'm just Quality, someone else knows the answer."
(*1) There are some low-intensity efforts that could be done if they are not currently done. Without knowing the details of how CS is used in your pharma company I hesitate to make any detailed suggestions.
Click to expand...
Thank you for sharing your perspective on CSV. It’s valuable to hear different viewpoints on this topic, and your insights into the roles of IT and QA teams are insightful.
 
C

CastorTroy

Registered
Bev D said:
In my experience the real issue here is arrogance and confirmation bias. IT often feels like they are (1) infallible and (2) the real experts on whatever process they are automating. Of course they are just as fallible as anyone else…In a mature organization they are not the experts and they shouldn’t be; they should be experts in IT/programming. Being the expert in two areas is very rare. But of course QA often fails in at least three areas: (1) they aren’t the experts in the processes being automated, (2) they aren’t experts in software and (3) they aren’t the experts in validation. They are too often the experts in drowning by paper…

This isn’t an issue of who owns “change control” which is often just a paperwork exercise. It is an issue of effective validation of software changes that meet the process need. The best choice for owners of who drive that validation are the owners of the process being validated. Unless of course they are not experts in their own processes - in which case you have bigger problems.

In the end business is a team sport. It isn’t golf or tennis. TEAM means IT, QA AND Process
Click to expand...
I agree with your perspective, and I appreciate your insights on the importance of collaboration and recognizing expertise in different areas. You’re absolutely right; in a mature organization, teamwork involving IT, QA, and Process experts is key to effective validation and successful software changes. It’s about leveraging each team’s strengths to ensure processes are not only automated but also validated effectively. Thank you for sharing your thoughts.
 
Jim Wynne

Jim Wynne

Leader
Admin
Bev D said:
In the end business is a team sport. It isn’t golf or tennis. TEAM means IT, QA AND Process
Click to expand...
Part of the problem is that validation is often a self-fulfilling prophecy. The strategy should be to try to prove the hypotheses wrong, instead of the common parth of trying to prove them to be correct. Physicist Richard Feynman: "The first principle is that you must not fool yourself and you are the easiest person to fool."
 
You must log in or register to reply here.

Similar threads

G
A Quality Management Look into Santa's Workshop
Replies
0
Views
3K
Gert Sorensen
G
M
Probably going to get an APIP (Accredited Persons Inspection Program) inspection
Replies
2
Views
2K
Roland Cooke
R
I
APQP Process Review and the Purpose of PPAP
2
Replies
13
Views
8K
chaosweary
C
Sidney Vianna
ISO 9001 Frequently Asked Questions (FAQ's) Cut and Pasted from the ISO Site - Update August 2022
2
Replies
12
Views
27K
Peter Fraser
Peter Fraser
V
Registrars auditing to the spirit of TS 16949
2
Replies
14
Views
6K
Helmut Jilling
H
Top Bottom