iSpeak Blog

Presentation of Controlled Documents with Paperless Validation Systems

Presentation of Controlled Documents with Paperless Validation Systems

With the widespread use of paperless validation software application comes the need to present digital CQV content to inspection professionals. This blogpost will summarize inspection topics for presenting digital CQV content and provide a list of common questions encountered during inspection events.

Background

In paper based CQV programs, the inspection process focuses on reports and execution binders; the reports summarize the conclusions of a specific study, and the execution binder provides the documented evidence used to support the conclusions in the report. During paper-based inspection events, a CQV package is requested and a printed report with a physical binder are brought in to support the request. For digital CQV systems, protocols, binders, and sometimes the reports, are merged into single digital packages. Presenting this digital CQV content in inspection events requires a different set of presentation strategies than those needed for paper systems.

Presentation Strategies for Digital CQV presentation

One question stands out above all others in the topic of digital CQV content in inspections, “Do we let an inspector see our digital content from within the application?”

Many companies chose to separate an inspector from the digital system and print all digital content out for inspection purposes. While this is a solid approach, the nature of some paperless CQV applications may complicate this approach.

  • Many systems allow for limited printing options - a protocol or report may be readily printed, but the embedded attachments may need to be printed separately and paginated by hand prior to bringing them into the audit room. A site with limited time and resources may not be able to support this approach.
  • Many systems will have highly developed digital user interfaces; however, content that is printed from these systems does not render on paper in a way that matches what is seen on the screen, making for an untidy and sometimes hard to read document.
  • However, in support of this approach, some paperless CQV applications can print a document, all its attachments, and automatically paginate attachments with links to the source document. With this feature available, the ability to provide paper documents during an inspection, or read ahead materials ahead of an inspection, provides a high degree of control over the inspection process.

Many companies have chosen to present the digital content directly to inspectors. In support of this approach, several best practices must be agreed to within the company to ensure that the inspector is limited to seeing only content that is relevant to a specific request. Successful best practices include the following suggestions:

  • Identify a subject matter expert for a specific request to present the digital material in the audit. Have the SME prepare all documents needed to support a request opened in separate tabs on the browser. These documents may include protocols, report, non-conformances, supporting engineering studies, etc.
  • During the presentation of the digital material, the SME will answer questions about the request and navigate to specific documents, and sections with documents, for inspectors to review.
  • Some companies have learned how to create controlled digital spaces in their paperless CQV applications that allow for an inspector to browse within a document without the opportunity to navigate into active production spaces. The approach works well for inspectors who favor reading materials to themselves.

Frequently asked audit questions for Paperless Validation Systems

Is the application cloud based or on-premises?

Most paperless validation applications are supported as SaaS (cloud based) offerings; however, a smaller set are hosted on in-premises or ‘Prem’ hardware. In the case of cloud architecture, be prepared to discuss the system architecture and application environment that hosts the SaaS application. In the case of Prem installations, in addition to system/software architecture be prepared to discuss hardware and network architecture.

How is backup and restore of GMP content managed with this application?

Be prepared to discuss general backup and restore features of the application’s main features. This conversation can lead to questions about the strategies a SaaS provider employs to ensure the integrity of a Company’s data. A deeper dive into this topic will require detailed knowledge about data encryption, data server management, version control, primary and secondary backup server facilities, scheduled backups, ongoing monitoring and testing of the Backup and Restore procedures.

In the event of a disruption of the service, what is the business continuity plan?

Be prepared to discuss your Company’s internal backup and restore policies as well as the SaaS providers commitment to support and response times to business outages. It is good practice to document business continuity instructions in local SOPs to guide users on best practices for short and long duration outages.

Can you describe the audit trail features of this application?

Audit trails in paperless validation systems can mean many different things. Fully understanding the different meaning and being prepared to discuss will save unnecessary confusion in an audit situation. For example:

  • An audit trail can mean the log of activities that are recorded at the protocol level, like corrections to data.
  • An audit trail can mean an administrative audit trail where extra-protocol/report events are recorded. Examples of audit trail activities include documentation, template, test execution, administrative, security, library, and authentication events.

Is the audit trail reviewed on a periodic basis?

Paperless validation applications are generally viewed as consumers of raw data and not generators of the same. A company’s data integrity program may require that an audit trail review be performed prior to approval of a paperless record or on a periodic basis; however, this requirement is generally meant to apply to QC laboratory system that generate raw data. A good best practice is to evaluate the intent of the paperless validation application’s use, frequently performed in a risk assessment, to demonstrate that the application’s use is outside of the scope for this type of periodic review.

What happens to paper records after their content is scanned and uploaded to the paperless validation application?

Many companies are divided on this topic and a clear understanding of data integrity and the concept of ‘True Copy’ is required to properly address this question. The ISPE paperless validation sub-committee addresses this important topic in a separate blog post.

Is the user access roster reviewed on a periodic basis?

User access review is an industry best practice. Be prepared to answer this question with SOP instructions and evidence of past periodic reviews.

What is the role of the ‘Administrator’ in the application?

Per data integrity guidance and industry best practices, a system administrator role should be fulfilled by an individual with no vested interest in the outcome of protocols/reports generated by the system. While some paperless applications can separate access privileges between user administrators and super-users, some applications grant super-user access to the administrator role. If your application is like the latter example, be prepared with program level SOP instructions that describe how the role of super-user and administrator are staffed with different people.

How is change managed in this application?

Changes that impact the validated state of an application are managed by formal change control. What about changes to the configured state of the application? Be prepared to address this question with SOP instructions and examples that describe how change is documented for instances where a change does not impact the validated state.

Do master and/or service level agreements exist for this application?

It is best practice to maintain MSA/SLA agreements for any SaaS application that hosts a company’s data. If this document is in place, ensure that it can be retrieved quickly.

Summary

In summary, several robust and compliant options are available for the presentation of digital CQV content to our inspection community colleagues. The paperless validation sub-committee looks forward to hearing about our industry experienced with this topic. Please reach out to us through communities@ispe.org for further information.