Deviations Are Good For You!

There seems to be much ducking and diving when, for example, an issue comes up in testing. So is it a deviation or not?

On the one hand there is the tendency to avoid raising a deviation at all costs; it looks bad; it is a lot of work; I am in a hurry etc. At the other extreme is the classic test script error, I had one the other day, I was asked if because the word “the” has been missed off the test script, that would warrant a deviation being raised. The quick answer is “no”, but on further investigation it turned out that the “the” was missing from the system response and that the test script had in fact correctly included “the” in the expected response. So it is hardly surprising that there a lot of ambiguity around deviations especially when testers can be less than clear about what actually happened.

I try to keep it simple, if the system is operating correctly to specification then generally it is not a deviation unless the tester failed to follow testing procedures. However it needs to be made very clear on the test script what happened, the test script can be marked up appropriately and it should be explicitly stated that the system is working according to requirements. If there is any doubt, or the explanation is so long that it does not fit on the test script, then it is better dealt with as a deviation.

Deviations are good, not something to be avoided. Why? Because for a reviewer, auditor or inspector it is the opportunity to explain to them what went wrong, the root cause, the remedial actions (if any) required and make everything crystal clear. Most importantly it demonstrates that you are in control. It is my belief that a lot of the deviation avoidance which occurs is because of the over-bureaucratic procedures which are in place in many businesses, something which an electronic document management system such as ComplianceControl Centre can make much less painful.


Brief overview of key changes coming with ISO 9001:2015

For those familiar with ISO 9001:2008, here is an overview of the changes clause by clause:

Clause 4: Context of the Organization. This deals with the context of the organization, with a focus on senior management to understand the relationship between risk, challenges, and management systems.

Clause 4: Process Management. The determination of process risk and the allocation of responsibilities.

Clause 5: Leadership. This aims to align the company’s direction with quality management, to look at risk identification, assessment, and management from multiple directions, especially from the senior management.

Clause 6: Product Conformity and Customer Satisfaction. This section shifts from preventive action to a focus on risk and opportunity that relate to product conformity and customer satisfaction.

Clause 7: Efficient Resource Management. Newly included continuous attention to customer needs and satisfaction.

Clause 8: Contingency Planning to improve customer communication. Additionally, assessment of design suitability before operations begin.

Clause 8: Controlling Outsourced Activities. The revision highlights the importance of efficient risk management of outsourced activities.

Clause 9: Stronger Measuring and Monitoring. These requirements flow into effective risk assessment and quality management.

Clause 10: Continual Improvement Internal Audits get a more structured approach.

All in all, the changes to ISO 9001 for the 2015 edition bring it up to date, and give it and businesses the tools required to anticipate and deal with future changes from a risk-based perspective.

ISO 9001-2015 Update: Is the new ISO 9001 update still Applicable to Software Companies?

Recent client training and audits have led me to write this short blog to ensure this area of regulations and compliance is clear with respect to software.

Their are some big changes coming to the current ISO 9001:2008 standard. A revised version of the standard ISO 9001:2015 is planned to be published in September 2015. But what are the major differences between the current version and the future revision and how will these changes affect organisations who currently use ISO 9001:2008.

The new revised standard will be based on a high level structure of the ISO directives which further standardises core definitions, common terms and clauses. This will make ISO 9001:2015 more compatible with other ISO standards such as ISO 14001.

Some of the new changes that come with the revised ISO 9001 standard include New Clauses:

  • Context of the Organisation
  • Leadership
  • Operations
  • Support

Old Clauses that will be removed:

  • Preventive Action

Other changes include the introduction of the concept of risks and opportunities. Documentation and records will merge under a new term ‘documented information’. There will also be new requirements for the management of change, this will apply to the change of products, processes and the quality management system within an organisation. Top managers will also have to ensure that their quality policies are aligned with the strategic business direction of the organisation. Top Managers will also have to ensure that their Quality Management System is fully integrated into the organisations processes. There will be a three year transition period for companies to adopt the revised standard.

ISO 9001 is a generic standard and can be applied to the manufacture of cheese and to a recruitment company, so whilst it is a general standard and there are some clauses that can be applied to software it is important to ensure that one of the standards and guidelines below is adopted in addition to the ISO 9001 Standard:

  • The TickIT guidelines are an interpretation of ISO 9001 established by the Department of Trade and Industry (DTI) and the British Computer Society to suit the processes of the information technology industry, especially software development.

TickITplus: This is a certification scheme that covers more than software development. It is intended to offer a flexible, multi-level approach to IT quality and certification assessment and can be applied at whatever level is deemed appropriate to the quality and process maturity of the organization and the needs of its customers. If multiple IT standards need to be addressed, these can be covered under one certification arrangement,

  • ISO 13485:2012 is the medical industry’s equivalent of ISO 9001:2008. Whereas the standards it replaces were interpretations of how to apply ISO 9001 and ISO 9002 to medical devices, ISO 13485:2003 is a stand-alone standard. Because ISO 13485 is relevant to medical devices manufacturers (unlike ISO 9001, which is applicable to any industry), and because of the differences between the two standards relating to continual improvement, compliance with ISO 13485 does not necessarily mean compliance with ISO 9001:2008 (and vice versa).

However, like ISO 9001, ISO 13485 is quite generic with respect to software so the international standard IEC 62304 – medical device software – software life cycle processes is a standard which specifies life cycle requirements for the development of medical software and software within medical devices. It is harmonized by the European Union (EU) and the United States (US) and therefore can be used as a benchmark to comply with regulatory requirements from both these markets.

  • GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems, Good Automated Manufacturing Practice, is an ISPE industry guide

GAMP® 5 provides pragmatic and practical industry guidance to achieve compliant computerized systems fit for intended use in an efficient and effective manner. This technical document describes a flexible risk-based approach to compliant GxP regulated computerized systems, based on scalable specification and verification. It points to the future of computer systems compliance by looking at the principles behind major industry developments such as PQLI; ICH Q8, Q9, Q10; and ASTM E2500.

This Guide addresses the entire lifecycle of an automated system and its applicability to a wide range of information systems, lab equipment, integrated manufacturing systems, and IT infrastructures. It contains new information on outsourcing, electronic batch recording, end user applications (such as spreadsheets and small database applications), and patch management.

In conclusion if you are looking at software with respect to a GXP critical system or medical device and the supplier had no references to any of the above, then I would tread carefully.