Recent client training and audits have led me to write this short blog to ensure this area of regulations and compliance is clear with respect to software.
Their are some big changes coming to the current ISO 9001:2008 standard. A revised version of the standard ISO 9001:2015 is planned to be published in September 2015. But what are the major differences between the current version and the future revision and how will these changes affect organisations who currently use ISO 9001:2008.
The new revised standard will be based on a high level structure of the ISO directives which further standardises core definitions, common terms and clauses. This will make ISO 9001:2015 more compatible with other ISO standards such as ISO 14001.
Some of the new changes that come with the revised ISO 9001 standard include New Clauses:
- Context of the Organisation
Old Clauses that will be removed:
Other changes include the introduction of the concept of risks and opportunities. Documentation and records will merge under a new term ‘documented information’. There will also be new requirements for the management of change, this will apply to the change of products, processes and the quality management system within an organisation. Top managers will also have to ensure that their quality policies are aligned with the strategic business direction of the organisation. Top Managers will also have to ensure that their Quality Management System is fully integrated into the organisations processes. There will be a three year transition period for companies to adopt the revised standard.
ISO 9001 is a generic standard and can be applied to the manufacture of cheese and to a recruitment company, so whilst it is a general standard and there are some clauses that can be applied to software it is important to ensure that one of the standards and guidelines below is adopted in addition to the ISO 9001 Standard:
- The TickIT guidelines are an interpretation of ISO 9001 established by the Department of Trade and Industry (DTI) and the British Computer Society to suit the processes of the information technology industry, especially software development.
TickITplus: This is a certification scheme that covers more than software development. It is intended to offer a flexible, multi-level approach to IT quality and certification assessment and can be applied at whatever level is deemed appropriate to the quality and process maturity of the organization and the needs of its customers. If multiple IT standards need to be addressed, these can be covered under one certification arrangement, http://www.tickitplus.org/
- ISO 13485:2012 is the medical industry’s equivalent of ISO 9001:2008. Whereas the standards it replaces were interpretations of how to apply ISO 9001 and ISO 9002 to medical devices, ISO 13485:2003 is a stand-alone standard. Because ISO 13485 is relevant to medical devices manufacturers (unlike ISO 9001, which is applicable to any industry), and because of the differences between the two standards relating to continual improvement, compliance with ISO 13485 does not necessarily mean compliance with ISO 9001:2008 (and vice versa).
However, like ISO 9001, ISO 13485 is quite generic with respect to software so the international standard IEC 62304 – medical device software – software life cycle processes is a standard which specifies life cycle requirements for the development of medical software and software within medical devices. It is harmonized by the European Union (EU) and the United States (US) and therefore can be used as a benchmark to comply with regulatory requirements from both these markets.
- GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems, Good Automated Manufacturing Practice, is an ISPE industry guide line:www.ispe.org.
GAMP® 5 provides pragmatic and practical industry guidance to achieve compliant computerized systems fit for intended use in an efficient and effective manner. This technical document describes a flexible risk-based approach to compliant GxP regulated computerized systems, based on scalable specification and verification. It points to the future of computer systems compliance by looking at the principles behind major industry developments such as PQLI; ICH Q8, Q9, Q10; and ASTM E2500.
This Guide addresses the entire lifecycle of an automated system and its applicability to a wide range of information systems, lab equipment, integrated manufacturing systems, and IT infrastructures. It contains new information on outsourcing, electronic batch recording, end user applications (such as spreadsheets and small database applications), and patch management.
In conclusion if you are looking at software with respect to a GXP critical system or medical device and the supplier had no references to any of the above, then I would tread carefully.