First let me say I'm not sure where this should go as I need to talk bout both ISO-9001 and 13485
I'm new to Quality and ISO regulations (my background is as a chemist who has worked both in manufacturing- many years ago- and R&D), and while I have been exposed to GMP and had some GMP training, I never personally had to work under the regs (I spent almost 14 years at a drug delivery startup that got to an NDA submission, but I was in R&D and did not wok under GMP- Got laid off from there about 13 years ago).
My current employer (small company now about 20ish people) pivoted from 100% R&D for over a decade, to a contract manufacturer of biologics (ferments) about 1.5 years ago... My employer realized that we needed to be ISO 9001 to get enough business last year... and more recently that we could get significantly more/higher margin business if we were ISO 13485 certified.
Last year we started on the path to ISO certification... and towards the end of this month will be having Pre-Audit with the registrar and hopefully be certified by early summer... and then start working towards 13485...
Though as we don't make medical devices or anything going into medical devices I'm not sure how 13485 applies to us and to what degree... We COULD potentially make things that would be raw materials for use in making things likes vaccines or incorporated into diagnostic test reagents etc as well as cosmetics. From what we see in this industry companies that get Iso 13485 advertise as "GMP like"... Does that make a difference to how the standard is applied?
Since I had a Pharma background, somehow recently I wound up as Director of Quality (A job I never expected to have!) ... While I think I have a reasonable 1000ft grasp of the general principles, I know the devil is always in the details.
We are using Google Drive to store all of our controlled documents and records as scanned PDFs (in PDF/A Format). Google Drive provides both access control and Audit trail, as does google sheets (which we don't use for calculations - just got logs and raw material inventory as a database). So basically a hybrid system that is run like a papery system...
The paper forms are signed with wet signatures and scanned.Batch records are manually filled in wet signed and scanned as well. Version control is essentially manual with forms (tha get scanned after being signed) and version numbers on the documents.
The scans are what we consider to be the controlled document and "official" records... Our SOPs donor require the we keep the paper.
After ISO 9001 certification we plan to switch to with Docusign or Adobe Sign fro 21 CFR Part 11 compliant electronic signatures) to sign the PDFs.
The quality system here is based on the one from my pharma employment which was paper based... but modified for google docs use....
BTW we do not have an IT department.
What we have not done yet is write an SOP that codifies who has what access level to what in google docs and why, though in practice I think we are doing the right things... I know that absolutely has to be written ...
But then comes the bigger issues with this electronic approach, particularly with 13485:
Validation... I know our usage of google needs to be validated but outside of know that I have to write a protocol that tests the functionality we are using to do black box software validation... but I have never even seen one before as an example to work off of! (any links to goo examples would be appreciated!)
Then there is the issue of software version control : Obviously we have no control over when google makes any software changes that would require revalidation...
What about long term storage /readability...
What about Disaster recovery?
Is this approach viable for both ISO 9001 and 13485? What problems am I likely to run into?
Thanks
-Karen
I'm new to Quality and ISO regulations (my background is as a chemist who has worked both in manufacturing- many years ago- and R&D), and while I have been exposed to GMP and had some GMP training, I never personally had to work under the regs (I spent almost 14 years at a drug delivery startup that got to an NDA submission, but I was in R&D and did not wok under GMP- Got laid off from there about 13 years ago).
My current employer (small company now about 20ish people) pivoted from 100% R&D for over a decade, to a contract manufacturer of biologics (ferments) about 1.5 years ago... My employer realized that we needed to be ISO 9001 to get enough business last year... and more recently that we could get significantly more/higher margin business if we were ISO 13485 certified.
Last year we started on the path to ISO certification... and towards the end of this month will be having Pre-Audit with the registrar and hopefully be certified by early summer... and then start working towards 13485...
Though as we don't make medical devices or anything going into medical devices I'm not sure how 13485 applies to us and to what degree... We COULD potentially make things that would be raw materials for use in making things likes vaccines or incorporated into diagnostic test reagents etc as well as cosmetics. From what we see in this industry companies that get Iso 13485 advertise as "GMP like"... Does that make a difference to how the standard is applied?
Since I had a Pharma background, somehow recently I wound up as Director of Quality (A job I never expected to have!) ... While I think I have a reasonable 1000ft grasp of the general principles, I know the devil is always in the details.
We are using Google Drive to store all of our controlled documents and records as scanned PDFs (in PDF/A Format). Google Drive provides both access control and Audit trail, as does google sheets (which we don't use for calculations - just got logs and raw material inventory as a database). So basically a hybrid system that is run like a papery system...
The paper forms are signed with wet signatures and scanned.Batch records are manually filled in wet signed and scanned as well. Version control is essentially manual with forms (tha get scanned after being signed) and version numbers on the documents.
The scans are what we consider to be the controlled document and "official" records... Our SOPs donor require the we keep the paper.
After ISO 9001 certification we plan to switch to with Docusign or Adobe Sign fro 21 CFR Part 11 compliant electronic signatures) to sign the PDFs.
The quality system here is based on the one from my pharma employment which was paper based... but modified for google docs use....
BTW we do not have an IT department.
What we have not done yet is write an SOP that codifies who has what access level to what in google docs and why, though in practice I think we are doing the right things... I know that absolutely has to be written ...
But then comes the bigger issues with this electronic approach, particularly with 13485:
Validation... I know our usage of google needs to be validated but outside of know that I have to write a protocol that tests the functionality we are using to do black box software validation... but I have never even seen one before as an example to work off of! (any links to goo examples would be appreciated!)
Then there is the issue of software version control : Obviously we have no control over when google makes any software changes that would require revalidation...
What about long term storage /readability...
What about Disaster recovery?
Is this approach viable for both ISO 9001 and 13485? What problems am I likely to run into?
Thanks
-Karen