Best Practices in Quality & Compliance Management

Best Practices
in
Quality & Compliance
Management
1
Foreword
With a dramatic increase in the number of regulations over
the last decade, Risk Management and Regulatory Com-
pliance have taken on increased visibility and focus. Key
metrics that measure risk and compliance are now being
tracked and monitored at the corporate level. However,
organizations are finding that their plant-level deployments
of compliance solutions create information silos and pre-
vent senior management from getting an aggregated view
of regulatory risk/cost. Hence these organizations are
gradually replacing them with a single enterprise-wide soft-
ware solution. In addition to improving visibility, organiza-
tions wrestling with upgrading legacy systems to comply
with new regulations, sometimes find the cost to be higher
than the cost of deploying a brand new solution. This is
also leading to accelerated adoption of a single enterprise-
wide compliance solution.
As a leading vendor of quality and compliance software, we are helping many leading companies make
this transition today. In the process, we have learned a lot about emerging best practices, new perfor-
mance metrics and key success factors. We have documented some of this learning in this collection of
papers.
I hope you enjoy reading these papers. Please feel free to forward this collection to your peers.
Regards
Shellye Archambeau
CEO, MetricStream
Copyright @ 2005 by Shellye Archambeau. All rights reserved. Manufactured in the United States of America. Except as permitted under the
United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a
database or retrieval system, without the prior written permission of the publisher.
2
Contents
A Framework for Systems Validation for the FDA environment ............................................................................ 4
Overview of Impact of 21CFR Part 11 on Information Systems ............................................................................ 9
Best Practices in Internal Audit ........................................................................................................................ 12
Here comes TS 16949 ...................................................................................................................................... 15
Impact of Regulatory Compliance on Quality and Profits .................................................................................. 16
Incorporating Audits in your Operational framework .......................................................................................... 18
Incorporating quality into management style ..................................................................................................... 21
Managing Quality at Outsourced Manufacturing Operations ............................................................................. 22
Roadmap for compliance with 21 CFR Part 11 .................................................................................................. 24
Supplier Charge-backs ..................................................................................................................................... 29
What is Your Company's Cost of Poor Quality - Tools for calculating and reducing it ....................................... 31
Workplace Safety Compliance: The New Approach .......................................................................................... 35
Corrective Action (CAPA) Systems at Innovative Companies ............................................................................ 39
Ensuring Regulatory Compliance through Training and Certification ................................................................. 41
IT Systems Validation for Regulatory Compliance ............................................................................................. 43
Implementing a well designed audit program .................................................................................................... 49
How to build a Business Case for a Quality Management System ................................................................... 52
Using a Compliance Platform to build Custom Quality and Compliance Applications ....................................... 61
Raising your Audit Score through effective Document Control ........................................................................... 67
Reducing New Product Introduction (NPI) time using a packaged software solution ......................................... 70
New User Access Requirements for 100% Compliance .................................................................................... 73
Smart Investment Strategies for a Compliance Platform: A Ten Step Guide ....................................................... 76
How to give a Quality Score to your Supplier .................................................................................................... 79
Can't get budget approval for your Quality Management System? .................................................................... 84
Paper-based quality system is more costly than you think ............................................................................... 87
Role of a Quality Management System in Six Sigma Deployments .................................................................. 89
3
A Framework for Systems Validation for the FDA environment
21CFR part 11 requires that all systems that govern any cGXP process - including Good Manufacturing
Practices (GMPs), Good Laboratory Practices (GLPs), and Good Clinical Practices (GCPs), should be
validated. FDA issued a very comprehensive guidance on systems validation in a document released in
January 2002. This white paper uses that FDA guidance as an input to define an “easy-to-implement”
framework for systems validation. Finally the paper identifies a best practice which calls for IT organizations
and software vendors to proactively audit their software development and implementation processes on an
ongoing basis to identify and correct any systemic issues to lower the cost of compliance.
Why System Validation?
Current Good Manufacturing Practices (cGMP) are mandated by the FDA to ensure that the products
manufactured by the industries such as pharmaceutical, biotech and medical devices, meet specific
requirements for identity, strength, quality, and purity. In order to comply with cGMP, companies are required
to record, track, manage, store and easily access various production documents and their detailed change
history including Standard Operating Procedures (SOPs), Master Production Batch Record (MPBR),
Figure 1: Scope of 21CFR Part 11 Requirements Source: CGE&Y
4
Production Batch Record (PBR), Equipment log books etc. Historically, all such documents have been
maintained on paper by companies in order to comply with FDA's cGMP. Even as companies automated
their production and quality processes, they were still being forced to maintain and track paper records for
FDA acceptance. The code of Federal Regulations (CFR) Part 11 was implemented in 1997 to let the FDA
accept electronic records and signatures in place of paper records and handwritten signatures for compliance.
The regulation outlines controls for ensuring that electronic records and signatures are trustworthy, reliable,
and compatible with FDA procedures and as verifiable and traceable as their paper counterparts.
Hence 21 CFR Part 11 also specifies a number of requirements for software systems to enable trustworthy
and reliable electronic records and signatures - see Figure 1. These software requirements must be met for
the resulting electronic records to comply with FDA's cGMP. If an organization does employ electronic
records and signatures, but fails to comply with these system requirements, the FDA will cite the firm for
violating the underlying regulation. For example, if a drug company maintains its written complaint records,
required by 21 CFR 211.198(b), in electronic form, but the agency finds that these records are unacceptable
substitutes for paper records, the FDA would charge the firm with violating 211.198(b). The potential impact
might include FDA requested recall, FDA mandated recall, Warning Letter, seizure, injunction, prosecution,
civil penalties, and detention
System Validation is a key 21CFR Part 11 requirement - its primary benefit is to assure quality and performance
of the systems deployed to manage any cGxP process. It is the establishment of documented evidence that
provides a high degree of assurance that a specific process, managed by the system, will consistently yield
a product meeting its predetermined specifications and quality attributes. The ultimate goal of any system
validation project is to realize and sustain compliance, while ensuring the peak performance and functionality
of those systems.
What is System Validation?
Validation is the process of compiling written verification of all system functions and the performance of
those functions to system specifications, as well as data integrity and system maintenance. That written
documentation must be in alignment with the industry standards and regulatory laws that guide the FDA in
their evaluation and enforcement of regulatory compliance. To successfully manage compliance, each
regulated system must be proven to operate in accordance with its intended use and design, and all
documentation supporting that evidence must culminate in FDA-acceptable documentation.
The FDA’s General Principles of Software Validation – “Final Guidance for Industry and FDA Staff”, published
jointly by CDRH and CBER was originally written with the medical device industry as its intended audience.
This guidance describes how certain provisions of the medical device Quality System regulation apply to
software and FDA’s current approach to evaluating a software validation system. Any software used to
automate any part of the device production process or any part of the quality system must be validated for its
intended use, as required by 21 CFR 820.70(i). Hence, this requirement applies to any software used to
automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution,
complaint handling, or to automate any other aspect of the quality system. In addition, computer systems
5
used to create, modify, and maintain electronic records and to manage electronic signatures are also subject
to the validation requirements. Systems that maintain certain employee training records may even be subject
to validation. Such computer systems must be validated to ensure accuracy, reliability, consistent intended
performance, and the ability to discern invalid or altered records.
This guidance is now being held up to the rest of the FDA-regulated world as an example of best practices
in computer system validation. This guidance is now used to validate systems that are governed by any of
the GxP regulations, including Good Manufacturing Practices (GMPs), Good Laboratory Practices (GLPs),
and Good Clinical Practices (GCPs.)
Framework for System Validation
While various consulting companies have created their own methodologies for systems validation, our
experience shows the following framework to be the comprehensive and applies to both -off-the-shelf software
or home grown. This framework ensures that the software being deployed is most likely to be compliant with
FDA requirements and will continue to sustain the compliance over time. Key elements of that framework
include:
• Compliance with core 21CFR Part 11 requirements: This element ensures that the software is
compliant with key requirements of the regulation including
• Any change to any record is captured in the audit trail and these entries are time stamped with
additional information including operator name and why the record was changed.
• System provides adequate security to prevent unauthorized modification by ensuring role-based
access and preventing users from directly updating the database.
• Software employs electronic signatures for any transaction into the system
• Software Development Lifecycle: This element ensures that the software vendor (or an IT
organization that develops its own software) follows a clearly defined and documented software
development lifecycle to ensure quality and prevent software defects. The components of the lifecycle
include:
• All system Requirements must be clearly defined and approved before any design or coding
effort starts. All system functions must be identified at this stage.
• System design specification must be clearly documented and design reviews must be done to
evaluate the capability of the design to meet system requirements and to identify any problems.
• Test plans, test procedures and test cases should be developed as early in the development lifecycle
as possible.
• Coding Standards should be well documented and code reviews must be done to ensure that
these standards are followed.
• Multi-level testing methodology including unit test, functional test, integration test and system test
must be followed. In addition stress Testing and disaster ecovery testing must be performed to
ensure that system performance requirements are met.
• Closed-loop change control: This element ensures that proper change control documentation,
approval and esting procedures are followed for any changes including, correcting software defects
6
or adding new capabilities for a new version of the software or making changes to software
configuration. Change control procedures must be written and well understood through training,
to ensure compliance. Unauthorized changes to a validated system, even during the implementation
process, can have a detrimental affect on the system integrity.
• Facility: This element ensures that the vendor facilities (or an IT organization software development
lab) employ adequate security controls to prevent unauthorized access to software, computer rooms
and backup media storage rooms.
Figure 2: Change Control Process
• Organization: This element ensures that the software developers, designers, QA engineers are
project managers are trained to perform the technical aspects of their jobs and the company has
training policies to ensure they continue to have the right skills on an ongoing basis to do their job.
• Validation for intended use: This element ensures that the requirement specifications are developed
for the intended use of the system. The system documentation is compared to the intended use
specification to identify any gaps. Then the system is tested against the intended use specification
to identify any additional gaps. Any major gaps are fixed using the closed-loop change control
method described above and retested before the system is validated as ready for intended use.
7
Organizations that implement this framework find it easier to keep their system FDA validated on an ongoing
basis.
Using a QMS system for Proactive System Validation
In a world where technology and business practices are dynamic rather than static, reactive compliance udit
methodologies provide questionable value. Best practices call for IT organizations and software vendors to
use the above framework to proactively audit their software development and implementation processes on
an ongoing basis to identify and correct any systemic issues. Industry leaders are deploying Quality
Management Systems (QMS) within their IT/development organizations to streamline and automate the
entire internal audit and corrective action process.
The QMS system serves as a system-of-record for the systems validation project. All documents including
SOPs, specifications and test plans are stored in its repository. The QMS audit capabilities are used to
create and track an audit checklist and its results. Once issues have been identified through the internal
audit process, the first step is to initiate an investigation and to properly identify the root cause of the
problem. After the root cause has been identified, Corrective Action (CAPA) items are created. When corrective
actions are approved, appropriate changes are implemented in the environment through a change-control
process and then the CAPA is closed out. These changes may include amendments to a documented
procedure/SOP or creating a new documented procedure/SOP when one is lacking, or placing controls to
ensure that the documented process is followed, or upgrading the skill set of an employee through a training
and certification process. Its dashboard provides IT and regulatory management ongoing view into the
process metrics. By using a QMS, companies ensure that the ongoing and proactive audit and corrective
action process is systematized and provides the basis for lowering the cost of compliance.
In summary, system validation is not a onetime project – it is an ongoing process. Through a combination of
a good implementation of system development lifecycle and proactive internal auditing of the software
development and implementation process, companies can easily comply with the system validation
requirements of 21CFR part 11 at a lower cost of compliance.
8
Overview of Impact of 21CFR Part 11 on Information Systems
Pharmaceutical, medical device, biotechnology and services companies are challenged to ensure regulatory
compliance through all their operations. A critical success factor is in their ability to have a common enterprise-
wide solution for capturing out-of-spec/non conformance, tracking and managing the corrective action process,
ensuring that the recommendations are implemented successfully and providing visibility into the process
and performance metrics at various operational and management levels.
In August 1997 the Food and Drug Administration (FDA) passed Part 11 of Title 21 of the Code of Federal
Regulations and established standards for the use of electronic records and signatures as an equivalent
and/ or substitute for paper records and handwritten signatures executed on paper. Part 11 applies to all
areas governed by the FDA and includes the pharmaceutical, medical devices, and biotechnology sectors,
and extends to all records in electronic form. It is applicable to records identified in predicate rules-previously
published regulations such as Good Clinical Practices (GCP), Good Laboratory Practices (GLP), and Good
Manufacturing Practices (GMP).
As illustrated in figure 1, the rule was designed to ensure that information is accurate, trustworthy, and
traceable across the multiple systems and entities that fall within the FDA program areas. Most importantly,
(Source - CGEY, 2002)
9
the legislation was not intended to be just another exercise in regulatory compliance. Instead, it was designed
to enable both the FDA and the Life Science industry to take advantage of new technologies to improve
efficiency and speed in both operations and also regulatory process and to incorporate electronic document
control and change management technology into their current business processes. By establishing tight
user-authentication and security, enabling audit trails, and enforcing records retention, pharmaceutical
companies could realize the full benefits of electronic record and signature while remaining fully complaint.
As illustrated in figure 2, Part 11 affects the entire value chain and is more pervasive on some applications
in key segments of the value chain than in other. For some applications such as Clinical Data Management,
Quality Management or Manufacturing Execution Systems, Part 11 influences every element of the application.
For other applications such as ERP, CRM, or Training Management Systems, Part 11 impact only selected
workflows and data elements. In addition, the use of good data management techniques and well constructed
standard operating procedures (SOPs) can ensure that many applications which should not contain a data
of record for regulatory purposes do not inadvertently become subject to the requirements of 21 CFR Part
11. Non-compliance in some application is more likely to trigger an enforcement action than others. Which
applications are more important, within a specific organization, depends on how the data is used, prior
gulatory history, and recent enforcement trends.
(Source - CGEY, 2002)
10
MetricStream's best-of-breed Enterprise Quality and FDA Compliance solutions help life sciences companies
implement quality management, non-conformance tracking, corrective action and change control throughout
the enterprise.
11
Best Practices in Internal Audit
Internal auditing is a mechanism by which an organization examines a business process to evaluate its
ability to comply with internal and external requirements. It is also a very effective tool to implement a
discipline of continuous improvement. Internal audits enable management to:
• Discover what's really going on within the organization, which enables objective decision making and
enables managers to direct the resources towards the right issues
• Learn about potential problems before they become burning issues
• Identify failure points within a process, so relevant stakeholders can implement corrective actions in a
timely manner
• Determine the effectiveness of controls within a process
Attributes of a successful internal audit program

To be effective, the internal audit and the corrective and preventive action (CAPA) processes must be fully
integrated in a closed-loop manner. Internal audit of a process/organization takes a snapshot of the current
environment, maps it to defined requirements or specifications and then identifies nonconformities or
opportunities for improvement. These nonconformities are then fed into a corrective action process, which
recommends specific actions and solutions. The lead auditor should then verify that the corrective action
has been implemented and the root cause of the original nonconformity has been eliminated.
An internal-audit program within an organization is less likely to be successful when it does not have the
right management support and commitment. In organizations where the audit program consistently delivers
good results, the closed loop audit/corrective action process is likely to be institutionalized as a result
of the management support. A key attribute of such an organization is any process-owner's ability to answer
the following questions very clearly:
• Are the processes and metrics clearly defined, so internal audit process can discover unambiguous
non-conformance?
• How does the audit process incorporate the results of previous audits to track progress against previously
discovered nonconformities?
• What is the process to identify potential root causes in a timely manner for the non-conformities that
are discovered by the audit process? Are corrective actions always taken to eliminate such root causes
or potential root causes?
• How is the data on corrective and preventive actions reported and analyzed?
• How do employees receive feedback on their respective non-conformities?
Five key activities in an internal audit

An internal audit is almost always successful when an internal auditor is able to carry out the following five
linked activities:
12
• Audit schedule: The purpose of the audit schedule is to communicate when the organization can
expect to be audited, who will lead the effort, which high level processes will be included in the audit
and what type of resources may be needed from the process owner. Audits scheduled far in advance
always produce better results.
• Audit plan: An audit plan should detail a single audit's scope, objectives and agenda. The plan provides
a chronology of the audit from start to finish: which specific processes and sub-processes will be
audited, exactly when they'll be audited, who will do it and which requirements will be audited in each
segment.
• Audit management: Lead auditor manages the overall process including managing and
communicating any changes to the audit plan, communicating the audit progress to the stakeholders,
ensuring that the audit process stays on track, reviewing all nonconformities to ensure that they're
logical, valid and clear, resolving all conflicts constructively and ensuring that the entire audit is conducted
professionally and positively.
• Audit reporting: Stakeholders are presented with the written audit observations and a list of non-
conformities, and these form the basis for discussion of the audit results.
• Audit Verification: The manager of the process being audited is usually asked to respond to audit
nonconformities by an agreed-upon date. The response should include investigation into the root
cause, proposed corrective action and a date when the action should be completed. The lead auditor
reviews the responses to determine whether the investigation and proposed corrective actions are
adequate. If a response doesn't identify a plausible root cause or propose a corrective action related
to it, the lead auditor can reject the response and explain to the manager-of-the-process why it's
inadequate. The second stage of verification occurs when the manager-of-the-process notifies the
lead auditor that corrective action has been implemented. At this stage, the lead auditor or a team
member will verify that the corrective action has been fully implemented and the root cause of the
original nonconformity has been eliminated.
System Requirements for a Successful internal Audit Program

A specific audit is likely to be more successful if the detailed steps listed above are automated using software
to make them repeatable. Leading industry analysts have identified the following core requirements of a
software solution for a closed-loop internal audit program – an end-to-end process from audit management
through corrective actions to change control.
• Audit Management: The software should allow definition and management of various elements of
the audit process including creation of different checklists by audit type, tracking audit schedule details,
managing role differentiation between lead auditors, approvers and managers for all audit components
and enabling workload distribution by sharing components of the audit. The software should also allow
auditors to track progress, attach various documents as supporting evidence of the non-conformities,
review non-conformities identified by audit team members, ensure all exit criteria in the checklist have
been met before the step is completed and report audit results (pass/fail).
• Non conformance tracking and management: The software should track and manage all non-
conformances arising out of the audit process and provide an ability to either close-out the non-
conformance (based on severity level and authorization) or trigger a corrective action process. In
some regulated industries such as medical devices, closing out the certain non-conformities may not
13
be an option and a corrective-action is automatically triggered.
• Corrective Action: The software should provide a collaborative mechanism for automatically routing
a corrective action request to a hierarchy of users with built-in notification and escalation procedures,
enabling them to review all relevant non-conformance records to analyze the root cause and document
corrective actions to correct or prevent the recurrence of the problem. The system should support
configurable industry-specific report formats such as 8-D, 5-Phase and PIAR.
• Change Control: The software should support multiple change control mechanisms identified in
corrective action such as document change (change to a standard operating procedure or process
instructions etc.) or employee training or equipment recalibration.
• The system should be developed from the ground up using web architecture, so it can be easily
accessed by any user within the company or by key suppliers or customers outside the organization
and it can easily integrate with other systems or corporate portals.
• The system should allow Enterprise-wide reporting on any non-conformance and corrective action at
a department/plant/division/company hierarchy and provide an Executive Dashboard to report on key
process indicators.
A successful internal audit program is critical to implementing an organizational discipline of continuous

improvement. By ensuring that the best practices are implemented and by using software to automate the
closed-loop process, an organization will be well on its way towards realizing impressive results from its
internal audit program.
14
Here comes TS 16949
The International Automotive Task Force (IATF) took on the challenge of developing a standard to harmonize
three European catalogs-VDA 6.1 (Germany), AVSQ (Italy), EAQF (France)-and the North American QS-
9000 standard. The result was the ISO/TS 16949:2002 standard.
The Big Three automakers have put their support behind ISO/TS 16949:2002. QS-9000 is no longer in the
long-term picture. According to an executive from one of the Big Three, the ISO/TS 16949 contains 90
percent of QS-9000 already, and it's an improved standard. DaimlerChrysler released a letter dated July
2002, which stated that effective July 1, 2004, all product and service part suppliers to DaimlerChrysler are
required to be registered to ISO/TS 16949. In early August 2002, DaimlerChrysler, Ford and GM released a
joint letter announcing that the third edition of QS-9000 will expire on Dec. 14, 2006, after which ISO/TS
16949:2002 will replace QS-9000
(Source - Quality Digest, October 2002)
A supplier's certification to ISO/TS 16949:2002 will satisfy vehicle manufacturers' current quality system
requirements for compliance or certification.
15
Impact of Regulatory Compliance on Quality and Profits
Regulatory compliance by enterprises could result in a positive impact on quality of the product and services
that they generate. This could imply that the results of compliance can be quantified into direct economic
value for the complying enterprises. Although this is not a tested hypothesis no one would dispute the fact
that a significant body of regulations today, attempts to raise the quality of products to benefit (or protect) the
consumers. One may ask if it is possible to quantify the gains so achieved. While the issue of cost of
compliance to consumers and tax paying citizens is a well-researched fact, the cost of non-compliance is
still an uncharted area measured mostly by fines and penalties paid by corporations. Those opposing the
pressure of compliance, often argue that regulations only expand the bureaucracy, adding burden to its
subjects or on the industries it regulates.
The popular press is full of articles these days, arguing that the recent Sarbanes-Oxley regulation is
overburdening corporations. While there may be some truth to this matter, one should not forget the cost of
non-compliance, which was borne by the shareholders of the numerous corporations who broke the inherent
trust of the financial markets. In my judgment, Sarbanes-Oxley gives CEO's an internal mandate to
institutionalize what most CEO's have always wanted and in many cases failed to achieve; Real-time
documentation and controls on key financial and operational processes. The correct operating perspectives
allow business executivesto turn the focus away from the debates of the cost of Sarbanes-Oxley, and achieve
greater competitive advantage through tighter process controls and metrics. These efforts will not only
result in higher quality of financial controls and disclosures, it can further enhance the financial results
through superior process automation and controls.
Taking an example from the food industry, a single cow with a dreadful disease could push businesses to the
brink of bankruptcy, disrupt markets and spread paranoia worldwide. It is common knowledge that interested
lobbies fought hard to stop cattle inspections and the industry did not heed FDA's sound advice to avoiding
mixing meat from downers into the cattle feed. The food industry abounds with such examples where massive
amount of processed food have been recalled from the shelves because of lapses in the production process.
Embracing the USDA recommendations with appropriate automation and tools, can give CxO's a way to
define, automate and raise the quality of their food processing activities, delivering differentiated food products
in the market, which the consumers can feel safe to consume. Although USDA regulations may seem
expensive to organizations on the surface, complying with these stringent regulations provides for greater
food safety and enhanced customer satisfaction, eventually leading to enhanced financial results for the
company.
Besides food and drugs, occupational health and environment protection is surfeit with regulations as well.
Strong lobbies are fighting regulatory controls tooth and nail to delay if not to limit, many of these regulations.
One should not forget that regulations around global safety, OSHA regulations are increasingly becoming
more critical for regulators as we inherently live in a "riskier" world post September 11th 2001. As we raise
the quality of our safety processes, create better frameworks for corrective and preventive actions, build an
infrastructure of emergency preparedness and disciplined audits, not only are we being more compliant, we
16
are also raising the safety of our employees and facilities worldwide, eventually resulting in better managed
safety and environmental risks for corporations. These risk reduction initiatives fundamentally translate to
more predictable and sustainable shareholder returns.
One could argue that self-regulations are the best form of regulated controls as it imposes the minimum
amount of cost on corporations and regulators. The proponents of self-regulations denounce the surge of
regulatory controls and cite historical examples, where industry regulations have failed to work. The shift
that these advocates of self-regulation fail to acknowledge. is that we now have a globally working
communication infrastructure, the Internet, which allows a collaborative platform for regulators and
corporations to work together across geographies and organizational boundaries. Using appropriate regulatory
tools and processes, forward-looking corporations enjoy the benefits of increased effectiveness of regulations
as well as a decreased cost of compliance. Maybe, we all need to rethink how we can leverage technology
more effectively as we incorporate regulators and regulations in the fabric of our extended enterprise!
17
Incorporating Audits in your Operational framework
While Many books and articles have been written about how to drive greater management and organizational
output, only recently are managers being asked to think about how to incorporate "audits" as a management
tool within their organizations. First of all, contrary to the belief, audit is not a responsibility of the internal or
external auditors. It is the responsibility of business heads and managers who are running the operations of
the company, on a day-to-day basis. How does one incorporate audit best practices within a management
framework?
Here are some simple examples of audits, which many large and small companies are using to enhance
their compliance with internal and external regulations and mandates.
• A global retailer sets up a global field audit capability to enhance its store operations.
• A mid-size pharmaceutical company focuses on documenting its key policies and procedures.
• A large food service company enables a web infrastructure for audits of its suppliers and franchisees.
• A sporting good manufacturer begins to manage its business through real time KPI's (Key performance
Indicators).
All these companies are incorporating audits in their management and operational framework. They are
creating an environment for continuous improvement through a well thought out strategy of audits. These
audit frameworks are not merely designed to serve the requirements of the internal or external auditors, but
also provide continuous operational benefits to the business units.
So, how should one think about building an audit strategy within the management framework of an
organization? Here is a simple framework to think about how to incorporate audit controls in your business.
Segregation of Duties:
Segregation of Duties ensures that no one person is solely responsible for the entire process end-to-end,
without effective checks and balances. For example, key authorization processes should have appropriate
checks and balances. The person, who documents the transaction, should not be the same person who
conducts the transaction. These simple checks and balances ensure effective controls and reduce
organizational error rates.
Best Practices:
• Design your organization with "checks and balances" in mind.
• Ensure that the organizational processes and policies have a "quality control" oversight at all times.
• Ensure that the quality functions are reporting independent of the operational units.
18
Policies and Procedures:
Written policies and procedures codify management's criteria for executing an organization's operations.
They document business processes, personnel responsibilities, departmental operations, and promote
uniformity in executing and recording transactions. Thorough policies and procedures serve as effective
training tools for employees. Having a documented repository of your standard operating procedures at the
operational, financial, manufacturing unit levels, ensures consistency of processes and reduces audit failures.
Best Practices:
• Document key business processes, and policies.
• Make the policies and procedures available to all personnel Ensure they are accurate, complete, and
current at all times.
• Revise policies and procedures for changes in business processes and policies. This is particularly
important when new systems are developed and implemented or other organizational changes occur.
• Communicate significant changes to all affected personnel immediately to ensure they are aware of
any revisions to their daily duties and responsibilities.
• In the event that there are changes in personnel (i.e. new employees are hired, promotions granted,
etc.), documented policies and procedures will facilitate training and provide guidelines for the respective
positions.
• An integrated Document management system with an integrated training management ensures that
all the employees, suppliers, vendors, partners are current with your documented policies and
procedures.
Reviews and Approvals:
When a process is performed within a department, there should always be another level of review and
approval performed by a knowledgeable individual independent of the process. The approval should be
documented to verify that a review was done. Review and approval are controls that help management
gauge whether operational and personnel goals and objectives are being met. In this time and age of emails
and web technologies, it is easier to document your approvals if you can refrain from verbal approvals and
use electronic methods to approve key policies and processes.
Best Practices:
• Approve electronically to enable rapid documentation of approvals.
• Ensure that approval alerts and escalations are embedded in the workflow of your organization.
• Document all the approvals in a repository to ensure compliance with internal and external audits.
• Numerous approval management and archival solutions exist to facilitate both enforcement and
documentation of approvals within an organization.
Process Efficiency and Effectiveness:
Organizational Processes must be efficient and effective. Efficiency implies most productive way to perform
19
a task or function. Effectiveness implies that the given process has the intended outcome. Organizational
process-flows have to be designed with both efficiency and effectiveness in mind.
Best Practices:
• Effective processes are easier to audit, as the cause and effect of the processes are well understood.
Ill-designed processes are often harder to audit and may have unforeseen consequences.
• Incorporate key audit controls (Key process indicators, metrics etc.) in your workflow to ease the audit
of the processes.
• Efficient processes are often easier to audit as there are less intermediate steps and approval loops.
So, all your effort to design greater process efficiency indeed pays of not just on an operational basis
but also from an audit standpoint. Efficient processes are simply easier to audit.
• Talk to your internal and organizational audit organization sooner in the process and incorporate their
needs as you design your key processes and policies.
Reporting:
Management reporting takes on a more strategic priority as you are designing your organization for greater
auditability. The reporting infrastructure of your company is not just a way to create visibility into the status of
key processes and activities, it enables the management and the auditors a way to get possibly real-time
visibility into the key indicators of your organization. Reporting of key Corrective Actions and Preventive
Actions, Process KPI's, employee training status to key processes, supplier and partner scorecards, quality
maintenance reports on critical equipments and plants are simple example of a well-designed management
reporting system.
Best Practices:
• Implement an organization wide reporting process and infrastructure, ensuring that all your business
units are reliably and consistently reporting the required process status and data.
• A well-designed organization implies that reporting is not a separate task which you perform manually
once a month or week. Instead, reports are generated "in-band" as you go through the key processes
within your day-to-day activities. This ensures that reports are reflective of the process themselves
and not a "post-fact" historical analysis of outcomes. These historical reports tend to be prone to
manipulation and human errors.
• Reporting is not just what your direct reports and business units share with the management. In well-
designed management reporting environments, the management must share back key reports back to
the business units and direct reports. For example, many companies are beginning to implement
"real-time" scorecards, which shows comparative performance across different business units, suppliers
or franchisees. These scorecards give an actionable framework to business units or suppliers to improve
their performance in real-time. Post-fact scorecards (in hind-sight) may have some value, it lacks the
ability of real-time performance improvements and actionability.
• Well-run organizations provide "drill-down" reporting capabilities, ensuring that employees, managers,
suppliers can see the performance of their processes at the right level of abstraction. "Drill-down"
enables organizations to get to the root-cause of key issues, enables insights and learnings, and
creates an environment of continuous process improvements.
20
Incorporating quality into management style
Quality and compliance are not necessarily after thoughts, which are achieved through systems and software,
rather it's a part of the management style of managers and leaders. In progressive companies, managers
are not merely focused on enhancing organizational output and productivity, but are also aware of achieving
greater degree of quality and compliance to the regulatory frameworks of their industries, economies and
communities.
So, what does it mean to be a more compliant or "quality-aware" manager?
Embracing Six-Sigma, TQM...? No, not necessarily. Good managers understand how to create processes
and organizations that minimize variance, produce repeatable productive outcomes and have built in feedback
flows from their internal and external customers. Case in point, One of our large Hi-Technology customers,
is attempting to become more "customer focused" and deliver greater quality and satisfaction. Principles of
Corrective Action and Preventive Action are being incorporated not just in business workflows, but how
managers are being trained in this organization to handle customer issues and drive down defects and
thereby enhance customer satisfaction.
In another example from a noted Automotive manufacturer, the entire senior management has shown
commitment to quality and compliance by focusing on reducing cycle times to internal, supplier and customer
issues. These commitments are being incorporated in forms of how the lines of businesses are being
organized, how "quality and compliance" is every body's job, and how suppliers and managers are being
rewarded for their contributions to quality and customer satisfaction.
21
Managing Quality at Outsourced Manufacturing Operations
The need for enterprise quality management is amplified for companies in the technology industry. These
companies have increasingly shifted manufacturing and assembly operations offshore to low cost countries
or have outsourced these functions to a contract manufacturer. As a result, a large number of their deliveries
to US based customers have become cross-border transactions and sometimes take weeks to be delivered
to distribution sites within the United States, resulting in long supply chains. The long supply chain has
created a new set of system requirements for quality processes within the extended enterprise.
It is very important for such organizations to gain visibility into quality issues within their offshore manufacturing
sites, including those of the contract manufacturer, so that they can prevent any unacceptable quality products
from entering the inbound supply chain. If these unacceptable quality products enter the supply chain, the
rejection process can delay shipment by weeks. By rejecting a shipment at the point of destination, weeks
after it was shipped from the manufacturing site, may cause shortages and disrupt fulfillment of customer
orders – a very high opportunity cost. Carrying high inventory at distribution centers to buffer against a poor
quality shipment is an expensive alternative, especially in an industry with short product life-cycles. The
additional transportation and handling incurred due to poor quality products being rejected at the point of
destination, instead of the point of manufacture, also leads to increased cost of inventory write-offs.
As a result, many technology organizations are seeking to minimize quality issues at outsourced and/or
contract manufacturers’ plants and are aggressively implementing enterprise class quality management
22
systems to audit finished goods at offshore sites, collect that data, and then aggregate, analyze and report
that information to key business process owners to give them visibility into potential quality problems. Using
this information, the business process owners not only can prevent a poor quality shipment from entering
the supply chain in a timely manner, they also use that information to create appropriate corrective actions
and systematically prevent such problems from occurring again. Industry data shows that companies can
reduce the costs of inventory write-offs by 5-10% and increase revenues by 2-5% by reducing the risk of
missed market opportunities from poor quality shipments within a long supply chain.
Many organizations find that their contract manufacturer may be using the same plant to manufacture products
for multiple customers and hence can not be forced to install different systems for different customers at the
same plant to support their respective quality needs. As a result, the organization has to rely on process and
product quality information from the contract manufacturer’s quality system. That information usually does
not integrate well with the organization’s own systems and is frequently not available in a timely manner.
Hence, a new breed of quality management systems is needed to support long supply chains. These systems
must be web-based, so an organization can extend its internal quality system to its contract manufacturer,
where they can enter the required quality information for their customer’s products. As a result, the organization
gets instant access to quality information without requiring the contract manufacturer to install a dedicated
system at their plant. These systems must also support an extraprise data and security model, so a contract
manufacturer can not see the quality issues that the organization faces at a competing outsourcer or their
internal plants. The organization should also be able to configure the system easily to allow them to
simultaneously deploy different quality processes at different outsourced or offshore sites to accommodate
varying process maturity levels at each of such sites. The system must also support an integrated inspection/
audit, non-conformance tracking, corrective action, change control, document management, and user
certification capabilities, so an organization can implement an end-to-end closed loop quality process for an
outsourced supplier. A traditional point solution does not meet these requirements and increases a company’s
risk of high reject costs and disruption of supply of finished goods for their customer orders.
23
Roadmap for compliance with 21 CFR Part 11
According to some analysts, the cost of 21CFR Part 11 compliance could vary from $5 million to $400 million,
depending on a company's size and current state of systems. Companies with lots of computer systems that
are not compliant with 21 CFR Part 11 must prioritize which systems to upgrade first. They are now beginning
to use a risk-based methodology to create a roadmap for compliance. This paper explains the 21CFR part 11-
system requirements, discusses a risk-based methodology to create a compliance roadmap and identifies
popular first steps in the roadmap for most companies.
cGMP – the basis for 21CFR Part 11
Current Good Manufacturing Practices (cGMP) are mandated by the FDA to ensure that the products
manufactured by the industries such as pharmaceutical, biotech and medical devices, meet specific requirements
for identity, strength, quality, and purity. cGMP regulations are specified in 21 CFR Part 210 (Current Good
Manufacturing Practice in Manufacturing, Processing, Packing, Or Holding Of Drugs; General Part) and 21
CFR Part 211 (Current Good Manufacturing Practice for Finished Pharmaceuticals).
In order to comply with cGMP, companies are required to record, track, manage, store and easily access
various production documents and their detailed change history including
Standard Operating Procedures (SOP): SOPs are documents that describe how to perform various routine
procedures in a cGMP facility. SOPs relate to both tools and equipment. SOPs contain step-by-step instructions
that technicians in production, QC, maintenance and material handling must consult daily in order to complete
their tasks reliably and consistently. They make it clear how the task will be performed (procedure), who will
perform the task (responsibility), why it will be performed (purpose), and what limits of use apply (scope).
Master Production Batch Record (MPBR) or Production Batch Record (PBR ): A master production batch
records (MPBR) is a detailed, step-by-step description of the entire production process for a specific drug. The
MPBR explains exactly how the product is produced, indicating specific types and quantities of components
and raw materials, processing parameters, in-process quality controls, environmental controls, etc. Production
Batch Records (PBR) documents the production events, quality charts, environmental monitoring records and
inspection reports for the entire production process for a specific batch.
Equipment Log Books: Log books are kept for all major equipment in a cGMP facility so that a chronological
record of all equipment-related activities can be maintained. Minimum log book entries include date, time, the
name of the technician and the event, but could also include a list of tasks that permits the technician to check
off, sign, and date each event in the list of tasks as s/he performs them.
Why 21 CFR Part 11?
Historically, all the quality documents including SOPs, MPBRs, PBRs and log books have been maintained on
paper by companies in order to comply with FDA’s cGMP. Even as companies automated their production and
quality processes, they were still being forced to maintain and track paper records. The code of Federal
Regulations (CFR) Part 11 was implemented in 1997 to let the FDA accept electronic records and signatures
in place of paper records and handwritten signatures for compliance. The regulation outlines controls for
ensuring that electronic records and signatures are trustworthy, reliable, and compatible with FDA procedures
24
and as verifiable and traceable as their paper counterparts.
Hence 21 CFR Part 11 also specifies a number of requirements for software systems to enable trustworthy
and reliable electronic records and signatures. These software requirements must be met for the resulting
electronic records to comply with FDA’s cGMP. If an organization does employ electronic records and signatures,
but fails to comply with these system requirements, the FDA will cite the firm for violating the underlying
regulation. For example, if a drug company maintains its written complaint records, required by 21 CFR
211.198(b), in electronic form, but the agency finds for some reason that these records are unacceptable
substitutes for paper records, then the FDA would charge the firm with violating 211.198(b) – "Master production
records are generated from a computer as electronic records without any apparent controls to assure authenticity
and integrity [21 CFR 211.186(a)]."
Software Requirements of 21 CFR Part 11
The following are the specific software requirements specified in Section 11.10:
• Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to
discern invalid or altered records.
• The ability to generate accurate and complete copies of records in both human readable and electronic
form.
• Protection of records to enable their accurate and ready retrieval throughout the records retention
period.
Scope of 21CFR Part 11 Requirements Source: CGE&Y
25
• Limiting system access to authorized individuals.
• Use of secure, computer-generated, time-stamped audit trails.
• Use of operational system checks to enforce permitted sequencing of steps and events.
• Use of authority checks to ensure that only authorized individuals can use the system, electronically
sign a record, access the operation or computer system input or output device, alter a record, or
perform the operation at hand.
• Use of device checks to determine the validity of the source of data input or operational instruction.
• Determination that persons who develop, maintain, or use electronic record/electronic signature systems
has the education, training, and experience to perform their assigned task.
• The establishment of, and adherence to, written policies that hold individuals accountable and
responsible for actions initiated under their electronic signatures.
• Use of appropriate controls over systems documentation.
Building a Roadmap for compliance with 21 CFR Part 11

According to some analysts who track FDA regulations, the cost of Part 11 compliance could vary from $5
million to $400 million, depending on a company’s size and requirements. The Pharmaceutical Research and
Manufacturers of America (PhRMA) projects the industry wide cost of compliance to reach $2 billion by 2006.
Companies with low budgets and lots of computer systems that aren’t compliant with 21 CFR Part 11 must
prioritize which systems to fix first. They are now beginning to use risk-based methodology to create a compli-
ance plan for their systems.
Risk-based compliance methodology begins with an inventory of all the existing systems and carefully identi-
fies all systems that are either paper-based or non-compliant. The approach then carefully analyzes each
- Source Clarkston Consulting
26
system to assess their risk, as well as, the cost of either converting paper-based system or upgrading/replac-
ing a non-compliant system to comply with the regulations. A key aspect to determining risk is assessing the
computer system’s potential impact on affecting consumer safety. Incorporated in this assessment must be
the role that system plays in the product life cycle, as well as the potential capability of the company’s prod-
ucts to injure the consumer as a result of the use of that system. Another aspect to determining risk relates to
system’s potential to fail due to issues such as software code complexity, lack of good vendor support or lack
of change control procedures. Finally, the company must consider the risk of intervention by FDA during an
inspection, leading to a large fine or delay in drug approval or a consent decree. While calculating the cost of
upgrading, one should determine if the total costs of legacy system upgrade and validation is more expensive
than its replacement.
This information is then plotted on an X-Y matrix that measures, from low to high, the risk to security of the
data (X-axis) and the cost of upgrading (Y-axis). Then the company may prioritize its systems and processes
needing conversion or replacement based on where they fall in the matrix. Computer systems, for example,
that fall in the “high data security risk, low conversion cost” area of the matrix could be targeted first for
compliance validation.
Low Hanging Fruits in the Roadmap for Compliance with 21 CFR Part 11
Based on research by various analysts and consulting firms, one of the low hanging fruits is upgrading quality
management systems to become compliant with 21CFR part 11. Such systems provide a core infrastructure
for electronic records for SOPs & training/certification, implement strict change control and enable auditable
corrective action processes. Hence these systems are considered quick hits because of their high-risk (high
risk of FDA intervention due to direct correlation with cGMP) and lower-cost (relatively lower cost of replacement
than a manufacturing system) profile. Quality Management systems should support multi-plant and multi-
organization architecture, including any outsourced operations such as clinical trials, R&D or production. Multi-
organization architecture enables companies to ensure consistency of practices and processes across the
entire internal supply chain leading to a reduction of overall risk of customer-safety. Since existing
implementations of quality management systems do not have the architecture to support global operations,
enhancements to existing legacy systems is more expensive than implementing a new solution with a global
architecture.
Capabilities addressed by Quality Management systems include:

• Document Management and Control (for SOPs)
• Audit Management
• Out-of-Specifications/Non-Compliance Tracking
• Corrective and Preventive Action (CAPA)
• Change Control
• Training
• Equipment Calibrations
AMR, an industry analyst firm based in Boston, in a recent report on the Risk from the current systems to
support FDA compliance stated that “Information Technology (IT) applications have not been integrated to
support end-to-end compliance business processes. This issue will come under increasing regulatory pressure
as the FDA targets a top-down, risk-based approach to consumer product safety. Product integrity and consumer
safety are still disconnected across product supply and customer-facing processes because IT environments
today support prioritized quality applications at local sites. These applications include CAPA, quality monitoring
27
and Laboratory Information Management System (LIMS) applications, complaint management, and adverse
event management. No enterprise-wide straw man exists for managing quality and compliance across global
operations.”
Leading pharmaceutical, drug discovery and development companies are aggressively investing in quality
management systems through initiatives that
• Establish and Monitor Company Wide Quality Programs
• Assure Compliance with Company and Regulatory Procedures and Guidelines
• Provide Release and Approval of all cGMP Documentation, including Standard Operating Procedures
(SOPs) and Batch Records
• Enable Auditing of
• Chemical Development, Medicinal Chemistry, and Analytical Departments.
• Manufacturing and Packaging facilities
• Analytical chemistry laboratories.
• Drug formulation facilities.
• Raw material supplier audits.
• Contract testing organization.
Risk-based methodology enables companies to create a prioritized roadmap for compliance with 21CFR Part
11, while staying within their budgets. This roadmap allows IT organization to start selecting and implementing
new systems such as an enterprise-wide Quality Management System and upgrading existing production
systems that create batch records.
28
Supplier Charge-backs
Most manufacturers have implemented a Supplier charge-back program, where a supplier is charged for the
additional cost incurred by a manufacturer due to non-conforming components, materials and late deliveries
from suppliers. A charge-back system is an effective way to introduce business discipline and accountability
into the supply chain.
However, most manufacturers only end up recovering the material costs of non-conforming components
from their supplier. This is primarily attributed to lack of ability of their information systems to capture non-
material costs associated with the non-conforming component. These non-material costs normally exceed
the costs of non-conforming material and can end up costing manufacturers millions of dollars a year on
accumulated basis due to supplier poor quality.
Supplier manual of a major consumer electronics manufacturer suggests that as a result of non-conformance,
the following activities will charge back to the supplier on per-hour wage-costs.
1. Operator/Foreman handling
2. Eventual disassembly of the part
3. Administration to take the part out of stock
4. Quality department handling
5. Handling by the planner to get a new part
29
6. Transportation back to the receiving area
7. Communications with the supplier - what shall be done with the part?
8. New instructions
9. Attention from engineers
10. Packing and arranging transport back to the supplier
11. Invoice Handling
Our research shows that current ERP systems or departmental quality management systems do not support
this process well. Hence most companies end up using manual systems such as spreadsheets to calculate
charge-backs. As a result, the actual COPQ (Cost of Poor Quality) costs are always higher than what is
charged back. Before investing in "add-on" software applications, we recommend that you design a quality
management process that spans the entire organization and includes relevant suppliers. This step should
incorporate key quality processes including audit, non-conformance tracking, corrective action, change control
and charge backs. Once a sound non-conformance process workflow is outlined, you should then evaluate
and select software applications that provide a standardized platform for automating dispute discovery and
capture. The system should enable charge-backs to be more easily itemized, categorized, routed and
escalated. In contrast to manually tracking data on spreadsheets, which allows only a periodic, after-the-fact
review of charge-backs, a new system should provide an integrated, real-time solution that enables deductions
to be managed and addressed at any level of detail and resolved in a timely manner. Such a system also
exposes the actual cost of poor quality and provides a backdrop for the manufacture to work closely with the
supplier in identifying the root cause of the problem and implementing Corrective Actions.
30
What is Your Company's Cost of Poor Quality - Tools for calculating and reducing it
Quality is never an accident, it is always the result of an intelligent effort"

- John Ruskin (1819-1900)
A manufacturing company had annual sales of $250 million. Its quality department calculated the total cost
of repair, rework, scrap, service calls, warranty claims and write-offs from obsolete finished goods. This
aggregated cost, called Cost of Poor Quality (COPQ) amounted to 20% of their annual sales. A 20% COPQ
implied that during one day of each five-day workweek, the entire company spent its time and effort making
scrap, which represented a loss of approximately $ 100,000 per day.
Experts have estimated that COPQ typically amounts to 5-30% of gross sales for manufacturing and service
companies. Independent studies reveal that COPQ is costing companies millions of dollars each year and
its reduction can transform marginally successful companies into profitable ones. Yet most executives believe
that their company's COPQ is less than 5%, or just do not know what it is. All levels of executives recognize
that quality is an absolute necessity to survive and succeed in today's business environment. The diagram
below provides a framework for calculating COPQ as a percentage of sales.
In a recently published book "Success through Quality", the author estimates that COPQ for an average
company is about 20% of sales, with a range as wide as under 1% for companies who have achieved "six
sigma", about 15%-25% for companies who are at "four sigma" level and about 25% to 40% of revenue for
companies who are at "three sigma" levels. A large fortune 500 communications company calculated its
COPQ at 8.6% of sales in 2002 and has set a goal of 5.4% for 2005, which will result in a savings of a little
less than $1 Billion per year!
31
COPQ in a Supply Chain
The COPQ of individual suppliers participating within a supply chain has a cumulative effect on the COPQ of
the OEM shipping the end product - see figure below. As a result, companies are working very proactively
with their suppliers to reduce their COPQ. Many OEMs are also implementing supplier charge-backs (also
called cost recovery), where a supplier is charged for the additional cost incurred by the OEM due to non-
conforming components and materials and late deliveries from suppliers. A charge-back system is an effective
way to introduce business discipline and accountability into the supply chain. OEMs use it as a "stick" for
their suppliers to drive them to collaboratively identify the root cause of quality problems and to implement
corrective actions.
Reducing COPQ
Systematic reductions in the Cost of Poor quality can be attained by implementing a Quality Management
System (QMS) that provides an integrated and closed loop corrective action process. In a manufacturing
organization, when deviations, nonconformance, out of specifications, quality incidents or customer complaints
occur, corrective and preventive actions need to be initiated to remedy the problems.
Once a quality problem has been identified, the first step is to initiate an investigation and to properly identify
the root cause of the problem. After the root cause has been identified, Corrective Action (CAPA) items are
created and routed for approval. When approved, appropriate changes are implemented in the environment
and then the CAPA is closed out. These changes may include amendments to a documented procedure,
upgrading the skill set of an employee through a training and certification process, or recalibrating the
manufacturing equipment. In addition, the system may capture COPQ associated with that non-conformance
and use that information to initiate and complete a cost recovery process with a supplier.
It is critical to deploy a closed-loop, integrated quality management system, rather than a set of loosely
connected modules from one or more vendors. Integration ensures that the information flows out the corrective
action process with a high degree of accuracy and velocity without falling through the cracks. It also ensures
32
that the entire change control process is auditable from end-to-end - a critical requirement to support FDA
21CFR part 11 and the Sarbanes-Oxley Section 404 audit criteria.
The QMS system should also be web-based, so that the suppliers can easily participate in the quality
management process. The suppliers often use the same plant to manufacture products for multiple OEMs.
As a result, they cannot be forced to install different systems for different OEMs at the same plant to support
their respective quality needs. Hence the OEM has to rely on process and product quality information from
the supplier's quality system. That information usually does not integrate well with the OEM's own systems
and is frequently not available in a timely manner. A Web-based QMS allows the OEM to make the application
available to the supplier without requiring the supplier to implement the system at their site. As a result, the
supplier can provide relevant quality information about the shipment to the OEM even before it ships from
the supplier's dock. If there are quality issues with any supplier component, manufacturers can take appropriate
preventive action even before it arrives or take it out of the supply chain to reduce their own COPQ. QMS
systems that do not support web architecture make it difficult for an OEM, participating in a supply chain, to
reduce its effective COPQ.
33
MetricStream
MetricStream, a market leader in Quality and Compliance Management Systems, allows its customers to
dramatically reduce COPQ through its integrated and comprehensive quality management solution. Market
leaders in industries as diverse as Automotive, High Technology, Consumer Goods, Manufacturing,
Pharmaceutical, Food Services and Government use the company's solution. Developed from the ground
up using web architecture, MetricStream provides an integrated set of the following modules to drive closed
loop corrective actions and reduce COPQ
• Inspection Management
• Non-Conformance Management
• CAPA
• Change Control
• Document Management
• Training Management
• Equipment Management
• Cost Recovery
34
Workplace Safety Compliance: The New Approach
Workplace Safety is emerging as one of the key risk management and regulatory compliance focus areas
among many global companies. As a result of this trend, traditional workplace safety compliance systems,
which were designed to be point solutions at a plant-level, are giving way to enterprise-wide safety
management systems. Such systems need to comply with the OSHA 29CFR regulations and support the
OSHAS 18001 framework, while providing enterprise-wide visibility into incidents and trends, corrective
actions and process metrics. This paper highlights the requirements of next generation systems for workplace
safety compliance.
Occupational Safety and Health Administration (OSHA) Regulations
OSHA's mission is to assure the safety and health of America's workers by setting and enforcing standards;
providing training, outreach, and education; establishing partnerships; and encouraging continual
improvement in workplace safety and health. OSHA and its state partners have approximately 2100
inspectors, plus complaint discrimination investigators, engineers, physicians, educators, standards writers,
and other technical and support personnel spread over more than 200 offices throughout the country. This
staff establishes protective standards, enforces those standards, and reaches out to employers and
employees through technical assistance and consultation programs. The passage of the Williams-Steiger
Occupational Safety and Health Act of 1970 clearly defined the regulations governed by OSHA.
The Occupational Safety and Health Act of 1970 was passed to assure safe and healthful working conditions
for working men and women; by authorizing enforcement of the standards developed under the Act; by
assisting and encouraging the States in their efforts to assure safe and healthful working conditions; by
providing research, information, education, and training in the field of occupational safety and health; and
for other purposes. The regulations under the act are covered in 29 CFR.
29CFR Part 1903 states that
• Every employer covered under the Williams-Steiger Occupational Safety and Health Act of 1970 furnish
to his employees employment and a place of employment which are free from recognized hazards
that are causing or are likely to cause death or serious physical harm to his employees.
• Employers comply with occupational safety and health standards promulgated under the Act, and that
employees comply with standards, rules, regulations and orders issued under the Act which are
applicable to their own actions and conduct.
• The Department of Labor be authorized to conduct inspections, and to issue citations and proposed
penalties for alleged violations.
29CFR Part 1904 requires employers to record and report work-related fatalities, injuries and illnesses.
Under the act, companies are required to use OSHA 300, 300-A, and 301 forms, or equivalent forms, for
recording work-related injuries and illnesses.
35
First Generation Safety Compliance Software
With the 29CFR safety regulations, came a rash of companies dedicated to helping manufacturers comply
with the regulation. Most of these companies were small to midsize consulting and training firms that helped
manufacturers set up automated systems to manage their compliance - primarily record keeping and reporting.
They sometimes added auditing services to measure levels of compliance pre- and post-project. These first
generation applications were almost always developed as point systems to address specific requirements -
such as OSHA incident recording and reporting OR Material Safety Data Sheets (MSDS) and Hazardous
Material Inventory management. The following diagram lists various point solutions in the market along the
health and safety continuum.
Global Organizations Begin To Look for Next Generation Safety Solutions
Most first generation applications in use today have been purchased by the plant personnel--the environmental
safety department or the plant HR organization. In some cases, they developed simple applications in-
house. As a result, many large corporations have ended up with different systems in different plants, making
it difficult for the plants to share EH&S (Environmental Health & Safety) information with their corporate
headquarters or other factories. The setup is not only inefficient, but it obstructs companies from sharing
and implementing common EH&S management practices across the entire enterprise, the foundation for
standards such as OHSAS 18001.
OHSAS 18001 (Occupational Health and Safety Assessment Series) is a consensus standard developed in
1999 by an independent group of national standards bodies and certification bodies (registrars). OHSAS
18001 was specifically developed to be compatible with ISO 9001 and ISO 14001 (the environmental
management system standard) to allow companies to develop and register integrated quality, environmental
and occupational safety and health management systems. OHSAS 18001 covers:
• Developing an OHS Policy

• Hazard Identification & Risk Assessment
• Training Employees
36
• Implementing OHS Control Measures
• Emergency Planning
• Document and Record Control
• Internal Audit Programs
• Corrective and Preventative Action
• Management Involvement and Management Review
In addition, many progressive manufacturers see EH&S as beyond just a compliance issue. Rather, they
see it as a risk-management issue. As a result, EH&S has gained more visibility at corporate headquarters
and corporate I.T. is being asked to implement systems that transcend plant boundaries.
The combination of a need to support the OHSAS 18001 framework and the need for a corporate-wide
safety solution has created a trend that is analogous to the ERP story, where large corporations ripped out
local-level point systems in favor of global ERP systems.
The industry analysts have identified the following core requirements of an enterprise-wide safety system:
• The system should provide an integrated set of the modules that enable OHSAS 18001 to drive closed
loop process for reducing potential risk of safety incidents
- Audit/inspection Management
- Incident Management
- Corrective Action
- Change Control
- Document Management
- Training Management
• The system should enable user to capture and report incidents and provide information on hazardous
material
• The system should be developed from the ground up using web architecture, so it can be easily
accessed by any user within the company and can easily integrate with other systems or corporate
portals.
• Enterprise-wide reporting on a incident/plant/division/company hierarchy and an Executive Dashboard
to report on key process indicators
A system that implements such capabilities will meet both objectives for Workplace Safety - risk management
and regulatory compliance at the enterprise level, as well as, at the plant level.
About MetricStream
MetricStream, a market leader in Quality and Compliance Management Systems, was designed to allow its
customers to comply with various industry regulations governed by FDA, EPA, NHTSA, OSHA etc. as well
as industry initiatives such as ISO 9000, QS 9000 and Six-sigma. Market leaders in industries as diverse as
37
Automotive, High Technology, Consumer Goods, Manufacturing, Pharmaceutical, Food Services and
Government use the company's solution. Developed from the ground up using web architecture, MetricStream
provides an integrated set of the following modules to drive closed loop corrective actions and increase
compliance.
• Incident Management
• Corrective Action (CAPA)
• Change Control
• Process Dashboards
38
Corrective Action (CAPA) Systems at Innovative Companies
Increased regulatory pressures, the latest customer mandates and internal quality initiatives are requiring
companies to take a proactive and automated approach to their corrective action process. Regulatory compliance
requires organizations to capture all corrective action issues and track their corrective action process to
completion. About 30% to 50% of all 483 citations in FDA regulated industries are related to problems with
Corrective Action & Preventive Action (CAPA) processes. The corrective action process also forms the core of
various quality management disciplines such as Six Sigma DMAIC (Define, Measure, Analyze, Improve and
Control) or TOPS-8D (see the table below) or ISO 9000.
In a manufacturing organization, when Deviations, Nonconformance, Out of Specifications, Incidents or

Complaints occur, Corrective and Preventive Actions need to be initiated to remedy the problem. Once a CAPA
has been initiated, it follows its assigned workflow process. For instance, the first step may be to initiate an
investigation and to properly identify the root cause of the nonconformance. Once the root cause has been
identified, CAPA items can be created and routed for approval. Once the corrective actions have been approved,
appropriate changes are implemented in the environment and then the CAPA is closed out.
A software solution can be very helpful in managing and tracking a CAPA process. According to AMR Research,
a leading industry analyst firm, the core functionalities resident in a CAPA system should include the following:
• Web-based change management, audit trails, and tracking
• Visualization, reporting, and quality performance analytics
• Configurable workflows and standard template-based best practice workflows
• Roles-based information view
• Trigger and event management and integration to back-end systems
• A Modular product, capable of being incrementally deployed.
The adoption of CAPA systems will become widespread because of their enabling role in mitigating significant
business risks and driving quality as an integrated part of the manufacturing process. As a result, companies
are no longer buying a stand alone CAPA system; they want their CAPA solution to be an integrated part of a
quality and compliance solution.
Team-Oriented Problem Solving, 8 Disciplines (TOPS-8D)
Step 1 Form an appropriate cross-functional team

The team should include a champion who has the resources and authority to implement the team's
solution.
Step 2 Define the problem.
39
Step 3 Contain the problem.
Protect the customer from the problem. This step can be omitted when 8D is used for a proactive
improvement because there is no "problem" (like defective parts).
Step 4 Identify the root cause.
Step 5 Select a permanent correction.
Step 6 Implement the corrective action and verify its effectiveness
Step 7 Make the change permanent (standardization).

Also share the solution with similar operations. This is best practice deployment.
Step 8 Recognize the team's achievement.
40
Ensuring Regulatory Compliance through Training and Certification
Role of Training and Certification in Regulatory Compliance

In recent years, there has been a dramatic growth in compliance and regulatory requirements across all
industries. There are over 130,000 pages of rules in the Code of Federal Regulations. In addition, over 60
Federal Agencies issue about 4,000 new regulations every year. These federal regulations are the law-of-the-
land and organizations covered under such regulations need to actively implement them. Non-compliance can
cost organizations millions in fines, litigation, opportunity costs and production delays. Organizations need to
ensure that they are fully compliant with all of the regulations and reporting requirements of their industry in
order to avoid being fined and cited by the respective regulatory bodies.
Hence employees and management in these organizations should be able to interpret and internalize relevant
regulations and then apply them to their daily business processes. Often, it is lack of proper employee training
that leads to actions causing non-compliance, resulting in stiff penalties. Hence, a critical success factor for
regulatory compliance is keeping the workforce well trained.
Enterprise Requirements
The following are the three core aspects of employee training and certification within a regulated organization:
• Understanding the Regulations: In order to ensure compliance with all relevant regulations, it is first
necessary for the employees to understand the core requirements of a regulation and its impact on their
daily work.
• Job Training: A core aspect of regulatory compliance is ensuring that the workforce is trained in all parts
of their job. In fact, 21CFR part 11 requirements state that persons who develop, maintain, or use electronic
record or electronic signature systems must have the education, training, and experience to perform
their assigned task. Hence, regulatory compliance requires that people be trained in various aspects
such as:
• Operating equipment safely under OSHA compliance;
• Following standard recipes for manufacturing to ensure quality and consistency for FDA compliance;
• Ensuring that the contracts are done right to SOP-97 for SOX compliance
• Change Control: One of the key training objectives is to ensure that a proper change control procedure
is followed throughout the company. The two most frequent problems in maintaining compliance is keeping
the Standard Operating Procedures (SOPs) updated and in giving employees adequate training on any
SOP changes. Any modifications to the system or process need to be communicated to the workforce. It
is imperative that these changes are understood and implemented through information dissemination,
training and certification.
Specific Regulatory Requirements

Different regulatory bodies have defined specific requirements for employee training. Examples of the impact
of specific regulations on training include:
41
FDA- 21 CFR: Ensuring electronic data security and integrity is vital from a regulatory, as well as from a
business standpoint. It is important that employees of FDA regulated enterprises be trained in following the
current regulatory requirements for electronic records and electronic signatures. In addition, compliance
training should teach employees to
• Interpret the FDA's most recent guidelines and inspectors' expectations
• Develop and utilize 21 CFR Part 11 compliance tools such as audit checklists and
• Perform risk assessment on computer system validation.
SEC (Sarbanes-Oxley): In August 2002, the SEC implemented the Sarbanes-Oxley Act, wherein the CEO’s
and CFO’s of all publicly traded companies in the U.S must represent that their financial filings are fair and
correctly stated. In order for the senior management of a company to comply with these requirements,
companies need strong policies, processes, and programs to ensure a high level of internal controls as well
as financial disclosure controls. This in turn requires that all appropriate employees be trained in areas such
as defining and validating internal controls, COSO framework, and risk assessment. In addition, employees
should be trained on the specific clauses of sections 302 and 404 of the Sarbanes-Oxley Act
OSHA: Many standards promulgated by the Occupational Safety and Health Administration (OSHA) explicitly
require the employer to train their employees in the environmental health and safety aspects of their jobs.
Other OSHA standards make it the employer’s responsibility to limit certain job assignments to employees
who are certified, competent or qualified. These requirements reflect OSHA’s belief that training is an essential
part of every employee’s safety and health and it protects workers from injuries and illnesses.
Harassment: In today’s business environment, it is now very important that employers take affirmative
measures to prevent unlawful harassment in the workplace. At a minimum, employers should provide training
to employees and supervisors on anti-harassment issues, and document that training. According to recent
court decisions, proof of effective training may help to establish a defense against harassment claims that
do arise, or help to reduce or avoid an award of punitive damages.
Solutions for training in regulated industries

According to AMR Research, companies need to tightly link their employee training module to their execution
systems to close the loop on compliance. In addition, change control is a carefully managed process in regulated
environments, but it often requires retraining or re-certification. As a result, compliance with regulations such
as Sarbanes-Oxley, HIPAA, OSHA, The Patriot Act or internal initiatives such as ISO 9000, requires that
training be an integral part of the compliance management systems. According to leading industry analysts,
the core capabilities of any software for regulatory compliance should be a closed-loop solution set that contains
audit management, corrective action, change control, training and document management. As a result, when
an audit uncovers serious process non-conformance, the CAPA process is triggered which leads to preventive
action plan that may incorporate a Standard Operating Procedure (SOP) change, requiring retraining of some
group of employees on the new SOP. A re-audit will then ensure that the problem was corrected.
In summary, training has become an integral part of compliance with Federal regulations (FDA, OSHA, Sarbanes-
Oxley etc) or internal mandates (ISO9000, six-sigma etc.). Hence, training software needs to become core to
any quality and compliance management system.
42
IT Systems Validation for Regulatory Compliance
Importance of Information Systems Audit and Validation

Information technology has become a core enabler of business processes within the organizations today. As a
result, companies are required to audit and validate their relevant IT systems to ensure that their business
processes and underlying records comply with regulations such as the Sarbanes-Oxley Act of 2002 or Healthcare
Insurance Portability and Accountability Act (HIPAA) or 21 CFR Part 11(FDA). This paper defines an “easy-to-
implement” framework for auditing and validating IT systems for regulatory compliance. It also identifies a best
practice which calls for IT organizations and software vendors to proactively audit their software development
Figure 1: Sarbanes-Oxley: Internal Control Components

Source: IT Control Objectives for Sarbanes Oxley, ISACA
43
and implementation processes on an ongoing basis to identify and correct any systemic issues to lower the
cost of compliance.
The Sarbanes-Oxley Act signed into law on July 30, 2002, takes corporate governance, disclosure and financial
accounting to new heights. The crux of the legislation – aimed squarely at public companies – centers on
ensuring the accuracy, consistency, transparency, and timeliness of financial results and disclosures. Establishing
and maintaining an adequate internal control structure and procedures for financial reporting is at the core of
compliance with section 404 of Sarbanes-Oxley Act. However, there is a strong linkage between the enhanced
internal controls that the act demands and the information systems that manage data, implement workflows,
and automate business processes. In fact, the accuracy and timeliness of financial reporting is heavily dependent
on a well-controlled IT environment. PCAOB Auditing Standard No. 2 discusses the importance of IT in the
context of internal control. In particular, it states: “The nature and characteristics of a company’s use of information
technology in its information system affect the company’s internal control over financial reporting.”
Many companies are using the COSO framework for internal controls – where the importance of IT controls is
embedded in the framework. These companies are then applying the C OBIT model of IT Governance to
ensure that the right level of IT controls are implemented (see figure 1). Compliance with Sarbanes-Oxley Act
requires that financial systems used in the preparation of required financial statements be controlled and
validated to prove the accuracy and timeliness of certain financial data.
HIPAA (Healthcare Insurance Portability and Accountability Act, passed in 1996), presents the health care
Figure 2: Scope of 21CFR Part 11 Requirements

Source: CGE&Y
44
industry with extensive regulations that significantly impact the technical and operational aspects of health
care information systems and embedded health care systems. It includes standards for electronic exchange of
administrative and financial healthcare transactions between health care providers and insurance providers
and includes privacy rules to protect the confidentiality and security of health data being transmitted. Companies
have rushed to make appropriate changes to their software to comply with the regulation. However, the challenge
now is to ensure that the systems infrastructure continues to be validated on an ongoing basis to stay compliant
with the HIPAA requirements.
21CFR Part 11 was implemented in 1997 to let the FDA accept electronic records and signatures in place of
paper records and handwritten signatures for compliance. The regulation outlines controls for ensuring that
electronic records and signatures are trustworthy, reliable, and compatible with FDA procedures and as verifiable
and traceable as their paper counterparts. Hence 21 CFR Part 11 also specifies a number of requirements for
software systems to enable trustworthy and reliable electronic records and signatures – see Figure 2. These
software requirements must be met for the resulting electronic records to comply with FDA mandated Current
Good Manufacturing Practices (cGMP). If an organization employs electronic records and signatures, but fails
to comply with these system requirements, the FDA will cite the firm for violating the underlying regulation. The
potential impact might include FDA requested recall, FDA mandated recall, warning letter, seizure, injunction,
prosecution, civil penalties, and detention. IT System Validation is a key 21CFR Part 11 requirement - its
primary benefit is to assure quality and performance of the systems deployed to manage any cGMP process.
Empirical evidence states that if a specific process is managed by a validated IT system, it will consistently
yield a product that meets its predetermined specifications and quality requirements.
What is IT System Validation?

IT system validation is the process of verifying all the system functions in writing and ensuring that the
performance of those functions meets system specifications and data integrity. To successfully manage
compliance, each regulated system must be proven to operate in accordance with its intended use and design,
and in certain organizations such as those regulated by FDA, all documentation supporting that evidence must
be in a form acceptable to the regulatory body upon audit.
The scope of the systems that needs to be validated is based on the regulatory body. For example, in an FDA
environment, any software used to automate device design, testing, component acceptance, manufacturing,
labeling, packaging, distribution, complaint handling, or to automate any other aspect of the quality system is
in scope of validation requirements. In addition, computer systems used to create, modify, and maintain electronic
records or systems that maintain certain employee training records are also subject to the FDA validation
requirements. Such computer systems must be validated to ensure accuracy, reliability, consistent intended
performance, and the ability to discern invalid or altered records. Similarly, compliance with Section 404 of the
Sarbanes-Oxley Act requires that financial systems used in the preparation of required financial disclosures
and statements be controlled and validated to prove the accuracy and timeliness of certain financial data.
Framework for System Validation

While various consulting companies have created their own methodologies for systems validation, our experience
shows the following framework to be comprehensive and applicable to both off-the-shelf and home grown
software solutions. This framework ensures that the software being deployed meets the regulatory requirements
and will continue be compliant over time. Key elements of that framework include:
45
• Compliance with core regulatory requirements: This element requires that the software is audited to
be compliant with the key requirements of the regulation.
For example in FDA regulated industries, the software should comply with the following 21CFR Part 11
requirements:
• Any change to any record is captured in the audit trail and these entries are time stamped with
additional information including operator name and why the record was changed.
• System provides adequate security to prevent unauthorized modification by ensuring role-based access
and preventing users from directly updating the database.
• Software employs electronic signatures for any transaction into the system
Similarly, HIPAA requires that the information systems that maintain electronic Protected Health Information
allow access only to those persons or software programs that have been granted access rights as
specified.
• Audit and Validation for intended use: This element requires that the requirement specifications are
developed for the intended use of the system. First, the system documentation is audited against the
intended use specification to identify any issues. Then the IT system itself is audited using the intended
use specification to identify any issues. Major issues need to be corrected using the closed-loop change
control method (see lifecycle methodology below) and system needs to be retested before it can be
certified to be validated as ready for intended use.
• Lifecycle Methodology: This element ensures that the software vendor (or IT development organization)
that develops the software and the IT organization that implements the software follows a clearly defined
and documented software lifecycle methodology to ensure good quality and prevent any software defects
that cause non-compliance. The components of the lifecycle include:
• All system Requirements must be clearly defined before any design or coding effort starts. All system
functions must be identified at this stage.
• System design specification must be clearly documented and design reviews must be done to evaluate
the capability of the design to meet system requirements and to identify any problems.
• Test plans, test procedures and test cases should be developed as early in the development lifecycle
as possible.
• Coding Standards should be well documented and code reviews must be done to ensure that these
standards are followed.
• Multi-level testing methodology including unit test, functional test, integration test and system test
must be followed. In addition stress Testing and disaster recovery testing must be performed to ensure
that system performance requirements are met.
• Closed-loop change control: This element ensures that proper change control documentation, approval
and testing procedures are followed for any changes including, correcting software defects or adding
new capabilities for a new version of the software or making changes to software configuration. Change
control procedures must be written and well understood by the developers through adequate training,
to ensure compliance. Unauthorized changes to a validated system, even during the implementation
process, can have a detrimental affect on the system integrity .
46
Figure 3: Mapping of COSO and COBIT for the system lifecycle
Source: IT Control Objectives for Sarbanes Oxley, ISACA
47
• Facility: This element requires that the vendor facilities, as well as, the IT organization be audited to
ensure that they employ adequate security controls to prevent unauthorized access to software, computer
rooms and backup media storage rooms.
• Organization: This element ensures that the software developers, designers, QA engineers and project
managers are trained to perform the technical aspects of their jobs and the company has training policies
to ensure they continue to have the right skills on an ongoing basis to do their job. This requirement is
specified in the FDA regulations and in the COSO framework.
Organizations that implement this framework find it easier to keep their system validated on an ongoing basis.
Using a QMS system to streamline IT audit and validation process

In a world where technology and business practices are dynamic rather than static, reactive validation
methodologies provide questionable value. Best practices call for IT organizations and software vendors to
proactively audit their software development and implementation processes on an ongoing basis using the
framework defined above and to identify and correct any systemic issues arising from the audit. In order to
streamline and automate the entire IT audit and corrective action process, industry leaders are deploying
Quality Management Systems (QMS) within their IT/development organizations.
The QMS system serves as a system-of-record for the IT systems validation project. All documents including
functional requirements, system specifications and test plans are stored in its repository. The QMS audit
capabilities are used to create and track an audit checklist and its results. Once issues have been identified
through the internal audit process, the first step is to initiate an investigation and to properly identify the root
cause of the problem. After the root cause has been identified, Corrective Action (CAPA) items are created.
When corrective actions are approved, appropriate changes are implemented in the environment through a
change-control process and then the CAPA is closed out. These changes may include amendments to a
documented procedure/SOP or creating a new documented procedure/SOP when one is lacking, or placing
controls to ensure that the documented process is followed, or upgrading the skill set of an employee through
a training and certification process. Its dashboard provides IT and regulatory compliance executives an ongoing
view into the status of the validation process. By using QMS, companies ensure that the ongoing and proactive
audit and corrective action process is systematized and provides the basis for lowering the cost of compliance.
In summary, system validation is not a onetime project – it is an ongoing process. Through a combination of a
good implementation of system development lifecycle, proactive auditing of the software development and
implementation process and automation of the audit and corrective action process, companies can easily
comply with the system validation requirements of regulations such as 21CFR part 11, Sarbanes-Oxley or
HIPAA etc. at a lower cost of compliance.
48
Implementing a well designed audit program
In our July 2004 issue, we discussed best practices for incorporating audits into your operational framework.
In this issue, let us take the discussion further and pose the question, on how to most effectively implement
audits in a global organization. To put the problem in context, let us look at a specific use case scenario at a
large retail chain.
• A large and diverse retail organization selling convenience and fast food products has set up a global
organization for field audit management. The fully staffed field audit team comprising of internal staff
and contracted auditors are chartered to work closely with the store management, retail staff, company
auditors and regional sales managers.
• Retail field audits are conducted to evaluate and reduce quality issues at shipping and receiving,
reduce on-site safety incidents, achieve inventory loss prevention, and provide close-loop feedback
for continuous improvement at the retail stores.
• The current process for managing field audits is manual and error-prone. Audits are conducted manually
using photocopied questionnaires and checklists. Audit scores are manually assigned to test compliance
with the corporate quality standards, safety guidelines and inventory loss prevention procedures and
controls. The field auditors use a multi-sheet excel spreadsheet to conduct their scheduled and spot
field audits, and upload the information to the corporate audit support team, who then summarizes the
information and distribute the findings, compliance reports with the management. This manual approach
of audits while provides the basic audit data, does not enable deep dive analysis on the root causes of
audit scores. Audit metrics are hard to create, change and monitor, and therefore the organization
lacks the ability to actually improve the audit scores, share best practices and improve quality and
customer satisfaction.
Does this use case scenario sound familiar? This fast growing retail chain has incorporated audits into their
operational framework, but are they most effectively implementing the audit process for maximum benefits
to the organization? Here are some tips which we have seen work in many customer scenarios.
Requirements for a well-designed Field Audit program

In talking to our customers and industry analysts, we believe that a well-designed audit program must
achieve the following at the minimum.
• Provide immediate access to all of the field audit data at any level, across the extended enterprise
(corporate, stores, franchisees, suppliers etc.)
• Establish an audit database and warehouse across all the field locations to enable real-time and
historical analytics, trend-analysis, and root cause analysis on inventory losses, safety and quality
incidents.
• Automate and streamline the data entry process of the audit data to minimize errors.
49
• Enable auditors to distribute audit results to the store managers, distribution managers and executives.
• Enable auditors to review audit scores interactively with the store personnel and raise the audit scores
through training and continuous improvement programs.
Top 5 Recommendations for implementing a well-designed Field Audit program
1. Look for a solution that automates the entire audit process. A well-designed audit solution must meet
all of the requirements discussed earlier. While one may start small with one aspect of audit
management, it would pay to understand how your audit program would scale to deliver
a. Automated reporting and analytics
b. Online and offline audit data capture
c. Integrated corrective action and incident tracking
d. Integrated document and training management for Standard operating procedures (SOPs) and
closed-loop training to improve audit scores.
2. Look for a mobile solution, which is practical and usable for the field auditors. Many audit programs fail
because the auditors find it hard to use the system while they are in the field conducting the audits.
Forward thinking organizations are insisting on offline and mobile auditing solutions so that auditors
can conduct the audit in the field and not have to re-enter their data when they come back to their
office. Re-entry of audit data is the single most point of error, which we recommend is best avoided.
Simple questions to ask and consider:
a. Can the auditors email the audit forms? Can those emailed audit forms be automatically synced up
with the centralized audit database?
b. Can hand-held devices like PDAs be used to conduct audits?
c. Are their built in real-time rules to check for data integrity at the point where auditors are capturing
the audit data in the field?
3. Look for a real-time audit solution. Remember, that the real goal of an audit program is to not just
monitor the audit scores across your extended enterprise, but instead to raise the audit scores through
real-time actions and processes. Simple questions to ask and consider:
a. Can audit results be tightly integrated with corrective action and preventive action plans?
b. Can audit scorecards trigger a well-integrated training program to raise the performance of the
under performing units?
c. Can the Standard Operating procedures and controls be modified effectively based on audit findings?
d. Can the management drill down into specific audit failures and understand the root cause and
trends?
4. Look for an audit solution, which is auditable. A well-designed audit solution must be auditable in itself.
You should be able to audit the auditors to ensure that the program is running as you expect it to run.
Simple questions to ask and consider:
a. Can you set up audits for the auditors?
50
b. Can you train and manage your auditors to conform to your standard operating procedures?
c. Do your field auditors believe that management and reviewers have full visibility into their data and
results?
5. Look for an audit solution, which can change with your business and processes. No matter which
business or process you are trying to audit, changes are inevitable. New stores, new processes,
future mergers and acquisitions will dictate that your audit methodology will evolve with time. Simple
questions to ask and consider:
a. Can you change the audit data or methodology?
b. Can the audit scoring methodology be refined as you get more insights of your process or business?
c. Can you enable and build new audit applications over time with the help of your IT staff or consultants?
51
How to build a Business Case for a Quality Management System
Most enterprise software projects require its champion to build a business case to justify the capital spend. In
building a business case, the champion needs to capture all tangible benefits that the company would obtain
from implementing the software and then place a defensible monetary value on these benefits in terms of
annual savings to the organization. The goal of the business case is to ensure that the project delivers value
greater than the corporate hurdle rate for capital investments. This paper provides a proven step-by-step
process to developing a business case for a Quality Management System (QMS) within an enterprise.
A business case for a Quality Management System can be developed very rapidly by following the seven step
process mentioned below:
• Step 1: Identify Key levers
• Step 2: Capture ‘as-is’ Scenario and Collect Baseline Metrics
• Step 3: Identify Root Causes of ‘as-is’ Scenario
• Step 4: Develop a ‘to-be’ Scenario
• Step 5: Model ‘to-be’ Metrics
• Step 6: Populate ROI model and Quantify the Benefits
• Step 7: Communicate Value
Step 1: Identify Key Levers:
52
The first step of the process is to identify the top 3 to 5 quantifiable business levers which will be impacted by
implementing the QMS. The key criterion for selecting these levers is that they should be exhaustive but
should not overlap (to prevent double counting of benefits) and the impact of QMS on these levers should be
quantifiable. A set of sub-levers helps identify detailed quantifiable cost savings or revenue increase from the
selected levers. The following chart identifies the key levers for a QMS for an industrial products manufacturer,
but may be applicable to most other manufacturing environments.
Step 2: Capture ‘as-is’ Scenario and Collect Baseline Metrics
The next step is to identify the business processes that are related to the primary levers and sub-levers listed
above, document the ‘as-is’ scenario of such processes, identify the key metrics associated with these processes
and determine the current value of these metrics. The user should also determine the calculations that enable
him/her to leverage the metrics to determine the current value of each sub-lever. Finally the user should use
these calculations to create a model for each sub-lever. See Appendix A for the screen shots of the model for
each of the sub-levers identified in the example in Step 1 of this paper.
For example, if a sub-lever is ‘recovering non-material related Cost of Poor Quality’, then the user needs to
document the current process for cost-recovery and then determine:
• What is the current dollar amount of cost recovery last year?
• What % of this cost recovery was non-material related?
• What % of Suppliers are currently covered under chargeback/recovery program?
• Hours spent on following steps (non material costs due to poor supplier quality)
• Operator/Foreman handling
• Eventual disassembly of the part
• Administration to take the part out of stock
• Quality department handling
• Handling by the planner to get a new part
• Transportation back to the receiving area
• Communications with the supplier - what shall be done with the part?
• New instructions
• Attention from engineers
• Packing and arranging transport back to the supplier
• Administrative man-hours spent on chargeback (non material costs)
• Computing chargeback
53
• Communicating chargeback with suppliers
• Resolving disputes
• Communicating final resolution to purchasing & Payables
• Calculation: Sum (hours of non-material activities needed on the component that failed inspection due to
poor supplier quality *standard costs for each activity)
Similarly, if the sub lever is ‘reducing scrap’, the user needs to capture the current process for scrapping
inventory at each inspection point and then calculate the current value of scrap attributed to quality. Specifically,
the user will need to identify
• For each inspection point

• Total Amount of Scrap in the last four quarters
• % of the Scrap value attributed to Quality (using reason code captured in the scrap transaction)
Step 3: Identify Root Causes of ‘as-is’ Scenario
This is a key step in identifying why the current process is not delivering the target value for the metrics
identified above (that map to best practices or internal targets) and enables the user to pin-point the issues in
the current process.
For example, a user might discover that it is hard to determine the supplier-related poor quality issues at two
inspection points in the Cleveland plant because the inspection step at machining-plus and molding-2 operations
don’t capture the right reason code for poor quality while scrapping material. Without right reason codes
captured, it is hard to identify the non-material costs incurred at these two operations due to poor supplier
quality. While the new QMS would not address this issue, the user has uncovered that streamlining this process
will enable the organization to implement the non-material related cost recovery processes.
User might also discover that the cost recovery process is very manual and as a result there is a lot of leakage
in cost recovery. Root cause analysis will determine that
• There is no one place to manage all open cases and disputes. Chargeback information is scattered in
multiple reports, on excel and email. Average chargeback resolution requires 4 reports, 12 emails and
reviewing at least 5 spreadsheets
• 5 cases representing $215K Million have been open for over 8 months – slipped through the cracks
• It would be hard to scale to cover ¾ of the supply base without hiring 3 additional chargeback
administrators. The company is committed to keeping headcount flat for the next 12 months, except in
engineering and sales positions.
54
Step 4: Develop a To-be Scenario
This step enables you to visualize the ‘to-be’ process flows with the new QMS solution. This step lays the
foundation for how the new system will streamline the various processes that drive the primary levers and sub-
levers identified in step 1 and how the new system will address the various issues identified in Step 3 ( root-
cause analysis of the ‘as-is’ process).
For example, the diagram below enables the user to identify how the QMS system will streamline the information
and process flow of the cost recovery process.
Step 5: Model to-be Metrics
This is the most critical part of the business case development process. The user determines how the ‘to-be’
scenario will improve the key baseline metrics identified in step 2 for each of the sub-levers and creates
assumptions for the new value of the metrics. Since this is the most subjective part of the overall process, it is
recommended that the user create two scenarios for identifying improvements to the metrics:
• Conservative Scenario: User assumes that change management related inertia will slow the improvements
identified in step 4 to each of the processes.
• Most Likely scenario: Use assumes that with strong sponsorship of the management team, the user will
be able to achieve the most likely process improvements, factoring in some change management related
pushback.
55
The following example shows the assumptions for new metrics associated with non-material cost recovery
sub-lever, with very clear reasons behind these assumptions.
Step 6: Populate ROI Model and Quantify the Benefits

Once the user has determined the value of metrics in the ‘to-be’ process, the next step is to:
• Incorporate the assumptions for new metrics for conservative and likely scenarios for every sub-lever
into the model
• Use the new metrics to calculate the annual $$ benefits for both scenarios for each sub-lever as a result
of migration to the QMS system. Include only tangible savings. Non-tangible savings such as productivity
improvements should not go into the calculation for total savings for the sub-lever from the QMS system.
• Add the savings from each sub-lever to compute the total $$ savings for the organization
• Determine a schedule for phased realization of savings from implementing the QMS (e.g. 50% savings
realized in year 1, 70% in year 2 and 100% in year 3, 4 and 5)
• User hurdle rate to compute NPV.
The model for each of the sub-levers listed in step 1 in this paper is displayed in Appendix A and can serve as
a guide in building scenario-specific model.
Step 7: Communicate Value

Once the user has built the model with the new metrics and calculated the NPV, the final step is for the user to
develop a management presentation that presents the business case for the QMS system. In this presentation,
the user needs to highlight the savings and assumptions for each primary lever. The white paper shows two
slides from the ‘cost-recovery’ primary lever.
56
We believe that with this seven step process, any user is well on their way to building a business case for a
Quality Management System. Please feel free to contact the author at agupta@metricstream.com if you have
any questions or feedback.
About MetricStream
MetricStream allows its customers to improve supplier quality through its integrated and comprehensive quality
management solution. Market leaders in industries as diverse as Automotive, High Technology, Consumer
57
Goods, Manufacturing, Pharmaceutical and Food Services use the company's solution. Developed from the
ground up using web architecture, MetricStream provides an integrated set of the following modules to drive
closed loop corrective actions and manage supplier quality
• CAPA
• Change Control
• Cost Recovery
• Supplier Scorecard
• Analytics/dashboards
MetricStream is headquartered in Redwood Shores, California and can be reached at www.metricstream.com
Appendix A
The Model
1. Savings from Material and Non-material Cost Recovery
58
2. Savings from reduced Scrap/Inventory
3. Savings from Reduced Line Shutdown and Improved Utilization of Bottleneck-Equipment
59
4. Savings from reduced expediting, lower warranty and recall costs
5. Total Savings and NPV Calculations
60
Using a Compliance Platform to build Custom Quality and Compliance Applications
Despite the availability of off-the-shelf quality and compliance applications in the market, many organizations
still choose to develop custom compliance software to support their unique business processes and reporting
requirements in their environment. The cost of ownership of such custom applications is high due to long
development timeframes and higher on-going maintenance costs. This paper suggests that using a compliance
platform as a starting point dramatically reduces the cost of ownership of a custom-developed application. The
paper also provides an important checklist if you or your organization is contemplating developing a custom
quality and compliance application.
Packaged Quality and Compliance Applications
Organizations are successfully implementing enterprise-wide quality and compliance systems to gain visibility
and control over key quality processes across their operations and to ensure compliance with government
regulations, industry mandates, company policies and internal initiatives. If quality is not managed in a
systematic, enterprise-wide manner, it can result in line shutdowns, reduced employee productivity, higher
internal costs, loss of key customers, and slower revenue recognition. Not achieving compliance with
government regulations can lead to penalties, fines and plant shutdowns. Gaining enterprise-level visibility
into key quality and compliance metrics is critical to managing risk and implementing continuous improvement
practices throughout the organization.
An enterprise-class quality and compliance system enables companies to identify, track, manage and correct
issues and exceptions in key operational processes. Such systems contain the following capabilities:
• Audit Management that enables organizations to create audit checklists and schedules, define
qualitative or quantitative pass or fail criteria for each audit checklist component, record detailed
observations, report results and ensure that the entire process can be implemented with appropriate
audit controls and approvals
• Inspections that enable an organization to define product inspection criteria and sampling plans,
specify qualitative and quantitative inspection criteria and acceptance levels for each attribute, collect
attributes data, calculate CPKs from inspection data and compare against acceptance levels to monitor
manufacturing process control or incoming part variance levels and identify non-conformance
• Adverse event reporting that enables an organization to capture and report adverse events such as
workplace accidents or hazardous material spills
• Non-Conformance tracking that enables the identification and recording of material and process
non-conformances, tracking of these issues across the organization and routing them for further review
and approvals to determinate disposition such as corrective actions.
• Corrective Action/Preventive Action (CAPA) to deploy a structured process for collaboration among
problem owners, coordinators and team members to identify core issues and document the actions to
61
be taken to resolve the problem to correct the nonconformance or to prevent the recurrence of the
problem
• Change Control including updating existing SOP (Standard Operating Procedures) or creating new
SOPs; updating other documents; recalibrating equipment, (re) training employees etc to implement
the actions identified in the CAPA process. The change control process also leaves an audit trail,
which is critical for regulated environments.
• Training including management of training offering, schedules and enrollment, maintaining and reporting
on training records for regulatory requirement, course material routing and approval and providing
feedback on instructor and course material effectiveness for closed-loop control.
• Reporting and Dashboard capabilities generate specific metrics on the performance of closed-loop
corrective action process and create reports about compliance with various regulations such as FDA
or EH&S.
• Document Management that serves as a central repository for all relevant documents and records
withsupport for search and view, change-request lifecycle (check-out, update, approval cycle,
notifications and check-in with version control), distribution control (set controls on the distribution of
sensitive documents and generate detailed reports by document type and distribution list) and an
audit trail for history tracking.
• Security to ensure that unauthorized access to any record is strictly prohibited and the application
implements specific capabilities such as encryption, electronic signatures etc to support specific
regulations.
Off-the-shelf quality and compliance software are increasingly being implemented by large and small companies
across various industries to address regulatory compliance issues (such as 21CFR part 11 or OSHA) or
customer-mandated quality processes (such as implementation of QS9000 or TS16949 by suppliers in the
automotive industry) or to support internal quality initiatives (such as an implementation of ISO9000 or six-
sigma).
Why build custom quality and compliance software?
Many organizations have unique audit and corrective action processes that require collection of very specific
transaction data. In addition, such processes may also have very unique workflows and reporting requirements
and require integration with multiple proprietary systems for specific process data. These scenarios abound
in a large-distributed organization when one is automating an audit of a service process or corrective action
in a supply chain process or compliance reporting for a very specific industry regulation. It is also very
common for a company that is implementing leading edge best practices to have very unique data collection
and process workflow requirements.
As a result, off-the-shelf quality and compliance systems do not entirely map to such a scenario unless the
application is heavily customized. Hence many organizations opt to build their own custom quality and
compliance applications to support their unique data collection, process workflow and application integration
requirements. In addition, some organizations may start with an off-the-shelf application and add custom
modules to support a specific audit process or a unique regulatory reporting requirement.
62
Key components of a custom quality and compliance software
Once an organization has decided to custom build their own quality and compliance application, they would
need to incorporate the following elements within their custom application.
63
• Management of both unstructured and structured data: Quality and compliance applications are very
document extensive and require the application screens, workflows and database to support the
management of both – structured and unstructured data. This requirement creates additional design
considerations for system audit-ability, security and performance.
• Document Management: The custom application needs to support document access and control
capabilities such as search and view, change-request lifecycle, controls on the distribution of sensitive
documents and an audit trail for history tracking. Such capabilities enable creating, revising, approving,
viewing, printing and archiving controlled documents such as Standard Operating Procedures (SOPs),
Work Instructions, Policies and Certification documents.
• Modeling quality & compliance objects: The custom application will need to model and implement various
quality and compliance objects such as audits, issues, approvals, action items, checklists etc because
such objects form a key component of any Internal Audit Management, Material Inspection, Corrective or
Preventive Action and Change Control applications.
• Real-time Event Management Sub-system: The custom application will need to provide capability to the
user to define customizable rules that trigger events and provide mechanisms for appropriate programmatic
actions within the application when an event occurs. This event management capability has to be scalable,
reliable, and extensible.
• Electronic Signatures and other compliance requirements: If the organization is creating a custom
application for an FDA regulated environment, they have to support 21CFR Part 11 requirements. These
include:
• Product requirements such as electronic signatures
• Audit requirements such as use of a development lifecycle methodology
The custom application must support the ability to capture username, password and purpose-related data for
any transaction and log that information for audit purposes. It should also provide automatic user lockout after
a finite number of failed attempts.
Dashboard, Reporting & Metrics: The custom application needs to provide a library of key metrics and user
configurable reports/dashboards that leverage the metrics and data to provide quick visibility into process
status and performance. The custom application must also provide a reporting wizard and integrated capabilities
for charts and in-context drilldowns.
• Integration with external systems: The custom application needs to provide a mechanism for easy
integration with other applications and cost-effective on-going maintenance of such integration over
time.
•♦Offline Access: Many activities such as audits and inspections can be done more effectively if the users
had offline access to the application. The custom application must support offline access capability, if the
business process requires such a capability.
• Engaging casual users: One of the key factors for successful compliance with regulations is that everyone
who interacts with the relevant processes should follow the defined policies and procedures. Typically
64
these procedures and policies are encapsulated in applications that automate the process. Hence
successful compliance requires 100% adoption of these applications by everyone who interacts with the
process. However this requirement also implies that even the most casual users within the enterprise
and at suppliers should know how to navigate through the application and should always use it as they
interact with the process, making them the weakest link in the compliance process. If the custom application
enables casual user to access a relevant form without them having to learn the application, and then it
will enjoy broader access among casual users.
• Auditability: An application developed for the regulatory environment needs to provide an ability to audit
any previous activity on the system. As a result, this capability consists of two separate system
requirements: update transactions that do not override previous records, but create new records and
providing a metadata of the audit, so reports of the audit history can be easily created.
If such capabilities were designed into a software platform, specifically created for quality and compliance
applications, IT organization could reuse such objects and capabilities by building their custom application on
such a platform, rather than defining, modeling and programming such capabilities from scratch in a custom
application. Modeling and programming such objects can consume over 50% of the overall programming
effort in an application.
Any custom application built on a compliance platform automatically gets access to all the common services
defined within the platform. As a result, development of a custom quality and compliance application/module is
practically reduced to defining and programming the process logic and user interface forms – the application/
module leverages the platform for common services that it would have to build otherwise. We estimate that
building applications on a compliance platform can save about over half of the initial development effort for a
custom application and over 80% of the annual maintenance resource requirements for a custom application.
As a result organizations can build functionally-rich custom applications for quality and compliance at a
dramatically lower “cost-of-ownership”.
About MetricStream
and compliance management solution. Market leaders in industries as diverse as Automotive, High Technology,
Consumer Goods, Manufacturing, Pharmaceutical and Food Services use the company's suite of applications.
Developed from the ground up using web architecture, MetricStream provides an integrated set of the following
modules to drive closed loop corrective actions and manage supplier quality
• CAPA
• Change Control
65
• Cost Recovery
• Supplier Scorecard
MetricStream took a platform-centric approach to building its suite of quality and compliance applications.
Instead of embedding capabilities such as document management, dashboards and analytics, electronic
signatures, checklists, issue-tracking, workflow approvals, notifications, offline, event management etc. directly
within its application-suite (as done by other vendors in this space), MetricStream decided to build such common
quality & compliance specific services within its platform, called the MetricStream Compliance Platform. It then
built its applications on top of this platform. As a result of this approach, MetricStream applications demonstrate
the rich functionality, the scalable architecture and the architectural elegance expected in an enterprise-class
application. The MetricStream Compliance Platform has also enabled companies to build custom quality and
compliance applications at a very low cost of ownership.
66
Raising your Audit Score through effective Document Control
In our August 2004 issue, we discussed best practices for implementing a well-designed audit program. In this
issue, let us discuss how one can most effectively raise the audit scores of your organization by building
effective document control processes. Document control and document lifecycle management have become
increasingly important foundation for building and implementing a good quality and compliance system. With
the growth of online manuals, standard operating procedures (SOP’s), supplier contracts, electronic material
safety datasheets (MSDS), OSHA safety datasheets, plant and operator instruction manuals, most large and
mid-size manufacturers are finding it difficult to enforce compliance with corporate procedures and quality
standards. In many cases where such digital document repositories do exist, we find that these document
repositories are not integrated with the underlying processes and quality standards of the organization. To
make matters worse, as organizations look at managing large offshore supply chains, effective document
control becomes even more challenging in establishing the quality baseline between all parties involved. A well
implemented document control system, besides providing a document repository for global use, must enable
seamless document and data control, closed-loop collaboration and process flexibility to turn organizational
documents into living and breathing standards for global quality and compliance.
To put the problem in context, let us look at a specific use case scenario at a large manufacturer.
• A large and diverse manufacturer selling hi-tech products has multiple plants through out the globe with
increasingly many components and parts being sourced from specialized suppliers and outsourcers.
• The manufacturer has several thousand business critical documents stored in a document management
system implemented just a few years back. These documents are increasing in volume and scope and
are often sent around in emails to facilitate collaboration across teams and organizations. The current
process for managing documents mostly involves individuals and groups to work on certain documents
and then file them electronically to the common document vault for record keeping or collaborative
purposes.
• While on the surface the document infrastructure may be adequate to keep the plants operational, the
manufacturer often scores poorly on internal, customer or regulatory audits.
So where is the problem here? Why does the organization continue to have a challenge adhering to the quality
standards, even though there exists a nice collaborative environment to document and follow the critical
standards and procedures?
The simple but important realization which many large and medium size manufacturers have had over the last
few years is that global quality management initiatives must take ownership of the global document management
initiatives to ensure that quality processes and associated documentations on standard operating procedures
are tightly coupled. Moving forward, document changes must lead to process changes and vice versa.
Here are some tips which we have seen work in many customer scenarios to raise quality audit scores.
67
Requirements for an effective Document control process
We believe that document control processes designed to improve your audit scores must achieve the following.
• Provide immediate access to all of the plant and corporate documents at any level, across the extended
enterprise based on appropriate roles and privileges. (Corporate, plants, distributors, suppliers etc.)
• Establish a simple framework for document lifecycle management, which covers document creation,
change management, management approvals, and regulatory filings, real-time as well as historical
reporting.
• Connect document changes with process changes and vice versa. For example, when standard operating
procedures change, those changes must reflect in the process flows across the extended enterprise. On
the flip side, as the processes change with business requirements, process documentation must reflect
such process changes. Managing process and document flows in isolation can lead to quality and
compliance failures and introduce gaps between documented objectives and process implementations.
• Enable auditors to audit process and product document controls. For example, creating audit checklists
based on stated procedures and documents could enable auditors to rapidly create relevant audit
packages.
• Ensure that changes in documented SOPs, process manuals trigger appropriate organizational training
processes. Most regulations (such as FDA regulations) mandate evidence of appropriate training upon
changes in the documented SOPs and procedures.
• Facilitate document control in offline and email environments. As process documentations, SOP’s, supplier
contracts are collaboratively managed, it is critical that offline and email based document controls are
implemented. In many cases, documents must be worked on by remote suppliers without requiring
access to your document management environment. It is critical that all those documentation changes
and approvals are captured in your system in offline environments.
Top 5 Recommendations for raising your audit scores through effective documentation
1. Look for a solution that automates the entire document lifecycle. A well-designed document control
solution must facilitate complete management of document lifecycle.
a. Enable creation, change management, approvals, filings, and storage of all documents.
b. Ensure reuse of existing document lifecycle templates.
c. Integrate seamlessly with existing document management infrastructure and document vaults for
record keeping and storage.
d. Facilitate role based ad-hoc work groups across the supply chain to collaborate throughout the
document lifecycle.
2. Look for a mobile solution, which is practical and usable by the entire extended organization. Many
document control programs fail because users find it hard to use the system while they are in the field
working on the documents. Forward thinking organizations are insisting on offline and mobile document
solutions so that quality and compliance organizations can manage the document lifecycle in the field
68
and not have to re-enter their updates when they come back to their office. Re-entry of document changes
is a point of error, which we recommend is best avoided. Simple questions to ask and consider:
a. Can quality organizations collaborate on documents through email? Can emailed documents be worked
on remotely and automatically synced up with the centralized document control solution?
b. Can hand-held devices like PDAs be used to manage document lifecycle?
c. Are their built in real-time rules to check for approvals and document controls at the point where users
are making changes to the documentation in the field?
3. Look for a document control solution with built-in process management capabilities. A well-designed
document control solution must be seamlessly integrated with process management capabilities to help
raise your audit scores. Changes in SOPs and documentations should trigger process changes and vice
versa.
a. Can processes described in the SOP’s be implemented through process flows?

b. Does the system provide automatic alerts when SOP’s change? These changes might mean following
up with changes in the process itself.
c. Can the Standard Operating procedures and controls be modified effectively based on audit findings?
4. Look for a quality document control solution, which integrates training management programs. A well-
designed document control solution must tightly integrate with training management processes:
a. As SOP’s get created, are the right members of your organizations being trained on these new SOP’s?
b. Can the feedback from end user training be incorporated to further update the SOP itself?
5. Look for a document control solution, which is readily auditable. General-purpose document control
solutions work fine as document repositories. However, when it comes to building a document control
solution for quality and compliance, auditability and traceability becomes most important. Simple questions
to ask and consider:
a. Can you get complete visibility into any and all changes to documents for audit purposes?
b. Can your auditors drill down into any aspect of your document repository and lifecycle and ascertain
process compliance?
c. Can you trigger quality and compliance alerts on documents based on rules set forth by the internal or
external auditors?
By carefully integrating document control with Quality and Compliance processes large and mid-size
manufacturers can significantly enhance their audit scores. Many organizations who viewed document control
and quality control as separate initiatives in the past are now increasingly taking an integrated approach to
quality and compliance building a robust quality infrastructure on a strong foundation of document controls.
As always, I look forward to inputs and thoughts from many of you, as we keep the Compliance and Quality
discussions going in our future newsletters.
69
Reducing New Product Introduction (NPI) time using a packaged software solution
In several industries, the total time taken to introduce a new product into the market can be the key difference
between a blockbuster and a mediocre performing new product. New Product Introduction involves several
collaborative processes including product design, product quality planning, identifying and qualifying vendors
and plants for sourcing components, conducting first article inspection and taking corrective actions to fix
issues and finally, transitioning the product into high-volume production.
Supply Chain and PLM vendors have attempted to solve this problem using a very narrow approach. However,
in order to successfully reduce the NPI cycle time, companies need a software solution that supports end-to-
end NPI process.
Packaged Solution for managing the NPI process
A best-of-breed solution for managing the New Product Introduction process must include the following key
capabilities:
• Support for NPI capabilities within the Part Master: The enterprise must manage key NPI product
data such as inspection attributes, inspection methods, skip-lot sampling plans and document attachments
within its part master. Since these capabilities are not typically available within the existing ERP part
master, the NPI packaged solution must provide such capabilities and integrate them with the part master
of the resident ERP system.
• Bid Package Mgmt: Creating a Bid Package for vendor selection involves close collaboration between
product management, engineering, quality, purchasing and internal operations. The NPI solution must
provide the ability to leverage technology for enabling close cooperation between the collaborating
organizations as they prepare the bid package documents, compile the bid package documents, and
implement a workflow approval process before sending the package and tracking responses from vendors.
• Vendor Audit & Qualification: Vendor audit is usually a key step in the acceptance process, before a
component or sub-assembly from a vendor is approved for production. In most companies today, vendor
audit is a manual process. The packaged NPI solution must provide an audit capability, with flexible
administration, to handle questions/checklists that can vary by vendor, site and part. Not only does the
configuration of checklists/questions have to be flexible but the audit responses must be configurable
and quantifiable as well. The necessary reporting infrastructure to analyze this information must also be
available.
• First Article Inspection: Reducing NPI cycle time by automating the First Article Inspection (FAI) process
is an important aspect of a packaged NPI solution. The system should allow the user to easily setup FAI
checklists and then enable the inspectors to capture appropriate FAI data against the checklists during
the inspection process. The results of the FAI are then reviewed by Engineering and Product Management
70
based on which the FAI could either be approved or rejected. Unless a FAI is approved, production parts
cannot be received by the receiving dock. The FAI capability should support information capture,
collaboration and the ability to identify opportunities for improving delays in NPI.
• Corrective Actions: This capability takes the results of the FAI process, identifies issues, and enables
root cause analysis, creation of corrective action plans and implementation of those plans. The solution
must support collaboration with suppliers to ensure reduction in problem resolution cycle times.
• Ongoing Inspections and Corrective Action: The system must support ongoing inspections and
corrective actions during the production ramp-up process leading to new product introduction. Inspections
and corrective actions ensure low PPM in the final product and provide a mechanism for continuous
process improvement.
• Cost Recovery: The process typically allows for complete cost recovery from suppliers during the ramp-
up leading to NPI for any non-conformances once the FAI is completed. The system must provide
capabilities to support the cost-recovery process and must provide mechanisms to include both - costs
of components and the costs incurred by the manufacturer while adding value on that component. Most
cost recovery process are managed manually and don’t incorporate non-material costs, which may be
over half the total cost of processing non-conforming components from suppliers.
The following diagram illustrates the integrated Process Flows in the NPI process.
71
Using the MetricStream Platform and Applications for NPI cycle time reduction
MetricStream, a market leader in quality and compliance software, provides key capabilities to manage a New
Product Introduction process. These capabilities include:
• First Article Inspection
• Corrective Action
• Change Management
• Cost Recovery
• Analytics
• Process Dashboard
In addition, its platform for Quality and Compliance Management includes capabilities such as Event
Management, Notification and Escalation Management and Workflow Management, which can be used to
customize existing applications or rapidly develop specific capabilities that integrate with existing modules
listed above.
Summary
Reduction in NPI cycle times has become an important focus area for most companies. They are increasingly
implementing packaged NPI solutions. Such solutions include Bid Package Management, Vendor Qualification
and Audit, First Article Inspection (FAI), Non-Conformance tracking, Corrective Action Request Management,
Ongoing inspections, Cost Recovery and Process Performance Dashboards.
72
MetricStream Compliance Insights Series
New User Access Requirements for 100% Compliance
As companies implement the enterprise-wide quality and compliance systems to support their 21CFRPart 11
or Sarbanes-Oxley or ISO9000 initiatives, they are forced to address the following critical issues:
• How do you ensure that every person who interacts with a regulatory process, including the most casual
user, always uses the software that automates the regulatory process, instead of informal mechanisms,
to get the job done?
• How do you make the compliance software easily accessible to road warriors such as auditors and
inspectors even when they are offline, so they don’t have to record the quality and compliance information
manually and later transfer it into the compliance software – a key source of user errors leading to failure
to comply with the regulation or mandate?
The solution to these issues lies in leveraging the latest but proven technologies to provide new ways for the
user to access the application. By removing any barriers to easy access and use, companies can ensure
100% adoption of the application. This paper addresses how the next generations of compliance systems are
addressing these key issues.
Engaging casual users
One of the key requirements for successful compliance with regulations is that everyone who interacts with the
relevant processes should follow the defined policies and procedures. Typically these procedures and policies
are encapsulated in applications that automate the process. Hence successful compliance requires 100%
adoption of these applications by everyone who interacts with the process. However this requirement also
implies that even the most casual users within the enterprise and at suppliers should know how to navigate
through the application and be familiar with its functionality in order to use it as they interact with the process.
As a result, such casual users become the weakest link in the compliance process.
Let us take the example of an environment where the process engineer approves any change to the operating
instruction of complex manufacturing equipment before it is put into production. The process engineer uses
the quality management system to approve such a change. He is trained on using the system and always
needs to use the system to approve the change, so there is an audit trail of his approval (under the 21CFR part
11 requirements). However in this scenario he wants to request his senior product manager to review a specific
change before it is approved to go into production, since the change may affect the surface tension of the
product. Even though the product manager is asked to review such documents very-very infrequently for
approval, she should use the quality management system to approve the change, rather than sending the
approval via email, since her approval needs to be recorded into the system from a regulatory compliance
perspective. As a result of this requirement, she is expected to know how to navigate the quality management
system that she uses very infrequently. Such a requirement is challenging to impose on a casual user. What if
73
the product engineer from the equipment vendor also needed to approve the instruction, since it related to a
new feature recently introduced in the product? It would be extremely difficult to expect a product engineer
from a vendor to know how to navigate a customer’s quality management system. These examples indicate
that enterprise-wide compliance software must enable a casual user to easily transact on the system without
any knowledge of the navigation or the functionality.
An ability to capture approvals and explanations from even the most casual users is also very critical in key
financial processes within a company. An example scenario may require a confirmation and explanation to be
obtained from a controller in a foreign subsidiary for reporting a certain set of numbers in a revenue recognition
account. In addition, this information needs to be recorded in a system to ensure compliance with the Sarbanes-
Oxley regulations. As is the case at many Fortune 500 companies, the subsidiary is using a packaged financial
system that is different from the corporate financials system. Hence the controller of the foreign subsidiary is
not at all familiar with the corporate financials system and chooses to send conformations and explanations via
the company emails or faxes. Such key approvals documents get buried under an avalanche of emails/paperwork
and can not be easily discovered later by auditors or regulators.
A best-in-class quality and compliance management addresses this issue by delivering relevant application
forms through email to the casual users. The email is sent by the quality management application to these
casual users with forms embedded inside the email to collect the required data. When the user receives the
email from the application, (s)he opens the email and then enters the relevant information in the form and hits
74
send. The application processes the email, as if the information inside the email form was entered on an online
form by the user. Hence the casual user can work within the familiar email system without needing to learn to
navigate and use the application. Such an application capability allows companies to ensure adoption of their
quality and compliance application by all relevant users.
Providing offline access
Internal auditors, who are very mobile and typically work offsite, today use spreadsheets and printed reports to
collect audit data at the site and then manually enter that data into their auditing application when they are
back at their office. Since auditors typically work in teams and the audit team leader needs to review all the
data collected by team members, paper-based (or spreadsheet-based) data collection techniques become
very cumbersome in environments where checklists are large and timelines are tight. In addition, such a
process leaves a lot of room for errors –a system responsible for managing a regulatory environment can not
afford to introduce errors into the system.
For example, when a team of internal auditors visits a key supplier, they may spend 2-5 days auditing the
various design, engineering, manufacturing, shipping, quality and accounts payable processes of their suppliers.
Most of the time during the day is spend collecting the data from interviews and observations and analyzing
the data against the expected process flow to identify gaps and recording those issues. By asking the auditor
to record the results on paper or on a spreadsheet and then manually typing them into the system when they
are back at their home office creates an opportunity to introduce errors in the system. In addition, when the
team leader wants to review the analysis and findings of the team members, he/she would have to manually
review their notes.
The offline capability within the application enables audit teams to take their audit checklists offline on their
laptops, easily share collected data among team members, and then synchronize the checklists with collected
data back into the online quality and compliance system when they are back in the office. The synchronization
happens automatically in the background and should ensure that the data recorded during offline access is
safely updated into the system. All the forms in the off-line system should look exactly like the online web
screens, so there is no additional training needed. In addition by keeping the user interaction with the software
the same for off-line and on-line environments, the system usage and adoption is ensured – a key requirement
for compliance.
Summary
The next generation of enterprise-wide quality and compliance applications leverage the latest technology to
provide offline access and email-based application access capabilities. As a result of these two new access
capabilities, organizations can ensure across-the-board use of the quality and compliance applications, rather
than use of informal mechanisms to interact with the business processes that are regulated.
75
Smart Investment Strategies for a Compliance Platform: A Ten Step Guide
Government regulations and mandates are on the rise. Most corporate compliance offices are challenged to
find compliance solutions that can scale across corporate compliance offices and also manage regulatory and
compliance initiatives within respective operational and departmental areas. This article highlights the importance
of selecting the right compliance platform, which can scale across different regulations (federal and state
regulations, 21CFR part11, Sarbanes-Oxley, OSHA, internal governance initiatives etc.) while serving users
across the enterprise. Most corporations have diverse systems and processes and the challenge always is on
monitoring and reporting compliance events and trends across the enterprise.
A well-designed compliance management platform has abilities to perform the following key functions across
the enterprise:
1. Compliance Dashboard: The compliance platform must provide a single enterprise-wide dashboard for all
users to track and trend compliance events. All compliance events should be easily viewed interactively through
the enterprise compliance dashboard. External auditors, internal auditors, compliance officers can use the
dashboards to make decisions on the compliance status of the organization.
2. Policy and Procedure Management: A well-designed document management system forms the basis of
managing the entire lifecycle of policies and procedures within an enterprise. Ensuring that these policies and
procedures are in agreement with the ever-changing rules and regulations is a critical requirement. The creation,
review, approval and release process of the policy documents and SOPs (Standard operating Procedures)
should be driven by collaborative tools that provide core document management functionality. The ideal solution
typically provides for both sequential processes to review and approve documents and parallel "ad-hoc" review
processes enabling a wide range of participation and input to the review cycle. For such purposes, a well-
designed document management system with a tightly integrated email collaboration capability becomes a
critical necessity to enable both sequential and parallel review processes across wide range of participants.
Compliance solutions which do not enable appropriate email collaboration, and merely focus on document
management often are not effective in ensuring that their policies and procedures are globally in sync with the
rapidly evolving rules and regulations.
3. Event Management: The compliance management system must have ability to capture and track events,
cases and incidents across the extended enterprise. Compliance Officers, Call center personnel, IT departments,
QA personnel, ethics hotline should be able to log in any adverse events across the enterprise, upon which the
necessary corrective and preventive actions (CAPA) are initiated. Creating a single system of record for all
compliance events across regulations provides the opportunity for offering an integrated compliance dashboards.
Enterprises which are investing in "point" solutions for each regulations often miss out on the efficiency gains
of creating a single system of record for compliance, be it for Sarbanes-Oxley compliance, FDA compliance, or
internal quality or governance initiatives.
76
4. Rules and Regulations: A well-designed compliance management solution must offer capabilities for
organization to be continuously stay in sync with changing rules and regulations. As soon as there are regulatory
changes, appropriate entities, policies and SOP owners should be notified proactively through "email based"
collaboration. This process critically enables the organization to dynamically change their policies and procedures
in adherence to the rules and regulations. While tracking a single regulation may be manually feasible, it
becomes an error-prone task to track all local, state, and federal regulations across the globe for Sarbanes-
Oxley, FDA, JCAHO, ISO, EPA, OSHA, Patriot Act. A well-designed Compliance management system offers
up-to-date regulatory alerts across the enterprise.
5. Audit Management: Audits have now become part of the enterprise core infrastructure. Internal audits,
financial audits, external audits, vendor audits must be facilitated through a real-time system. Audits are no
more "A-once-a-quarter" activity, in many instances, FDA/SEC audits are initiated without notice and corporations
must be prepared to offer appropriate audit capabilities. Appropriate evidence of internal audits becomes
critical in defending compliance to regulations.
6. Quality Management: Most organizations have internal operational, plant-level or departmental quality
initiatives to industry mandates like Six-sigma or ISO 9000. A well-designed compliance management program
incorporates and supports ongoing quality initiatives. Most quality practitioners would agree that quality and
compliance are two sides of the same coin. Therefore, ensuring that your compliance management solution
offers support for your enterprise-wide quality initiative is critical.
7. Training Management: Most compliance programs often require evidence of employee training. Regulations
like FDA 21CFR Part 11 or SEC Sarbanes-Oxley Act, mandate employee training upon evidence of non-
conforming events. Lack of documented training can lead to fines and penalties. Often the compliance office
has to work closely with the HR organization to facilitate such employee training initiatives. Well-designed
compliance programs require a well-integrated approach to elearning and training management.
8. Compliance Task Management: Compliance organizations must plan, manage and report status of all
compliance related activities from a centralized solution. Automated updates from the various compliance
modules should provide for up-to-the-minute status reporting that could be viewed by the board of trustees,
corporate compliance officer, entity compliance coordinators, quality offices and others as designated.
9. Financial Sarbanes-Oxley Compliance: Sarbanes-Oxley Act of 2002 has become a critical compliance
initiative in most CFO offices. It is critical that a well-designed compliance solution must address the needs of
the financial office and provide support for COSO, COBIT and Enterprise Risk Management (ERM) frameworks
of compliance. Enhancing the quality of financial reporting for publicly traded companies is critical for creating
shareholder confidence as well as ensuring compliance to the Securities and Exchange commissions. SOX
compliance must address the following compliance phases:
• Design: Design of compliance environment, control hierarchies, and segregation of duties
• Assessment: Assessment of control executions, process-flows, effectiveness
• Improve: Improvement through remediation plans, corrective action plans and business user collaboration.
77
• Monitor: Monitor design status, SOX quarterly and monthly trends, assessment and improvement status,
SOX views by business units or geographies.
10. Configurable Platform: Last, but not the least, it is critical to build your compliance solution on a scalable
and configurable platform, one which can adapt and change to the regulatory environments, today and in the
future. Compliance workflows, tasks, audit processes, financial reporting standards, quality management
techniques all change with time. Your chosen platform must enable you to rapidly adapt to the changes without
intensive re-programming of your systems. Many compliance application vendors attempt to package their
application as a platform, yet, discerning buyers look closely at the true power and capabilities of the configurable
platform.
Forward thinking corporations who are following this ten step guide to compliance standards are achieving
compliance more productively, they are in fact leveraging the compliance requirements into building a higher
quality organization with greater corporate performance.
78
How to give a Quality Score to your Supplier
A supplier quality score provides a real-time and objective analysis of the quality performance of a supplier.
The score empowers an organization to manage its supply base more effectively by enabling it to:
• Identify continuous improvement and cost savings opportunities
• Promote and encourage improved communication on performance issues
• Provide objective data for use in supplier management and sourcing decisions
• Recognize and promote exceptional supplier performance in quality
A supplier scorecard contains categories or main groupings of metrics by which suppliers are measured.
These categories include quality, delivery, cost, and responsiveness. Aggregated score for each category is
calculated first, providing a company visibility into quality score, delivery score etc. Each category has assigned
weighting, which is then rolled into the overall supplier score within the scorecard. The score of the quality
category (quality score) typically carry 40% to 60% of the overall supplier score weighting factor in most
organizations. Hence quality management systems (QMS) drive the overall supplier scorecard in such
organizations. This paper first describes how some of the leading manufacturers calculate their quality score
and then gives a checklist to ensure that your quality management system (QMS) can drive an accurate and
quick calculation of the quality score.
The following chart identifies key metrics in each of the categories.
Figure 1: Various Metrics in Supplier Scorecard
79
Supplier Quality Score
The Supplier Quality Score is an aggregate rating of the various quality-related performance metrics for the
supplier. Scores for various quality metrics are multiplied by their weighting and the summation provides the
overall quality score for the supplier. The following examples show how two leading manufacturers calculate
the overall quality score for their suppliers.
Example 1: A Business Unit of a Fortune 500 Medical Device Manufacturer:
• Supplier quality score is a simple metric that is a result of three key measurements:
• Lot Acceptance Rate (LAR)
• Supplier Corrective Action Requests (SCAR)

Past Due SCARs
LAR is the percentage of lots shipped by the supplier and accepted by the organization within the given fiscal
month.
Each SCAR issued results in a 2 basis point deduction from the LAR for the fiscal month in which it was issued.
If there is no response to SCAR within 20 business days then it is past due. Past Due SCAR results in 3 basis
points deducted from the LAR for each fiscal month in which it was overdue.
The Quality Score is calculated using each of these three measurements described above using the following
calculation.
Quality Score = LAR – (# of SCARS * 2 basis points) – (# Past Due SCARS * 3 basis points)
An "approved" supplier must consistently maintain both quality and delivery scores of 90% or greater.
When either score falls below 90% for an extended period of time, the status of the supplier may be downgraded
to "conditional", which means that future business may be dependent upon the successful completion of a
written CAPA (Corrective and Preventative Action Plan) to eliminate the root cause of the quality or delivery
problem.
If the score of a "conditionally approved" supplier falls below 70% for an extended period of time, the supplier
may be downgraded to "disapproved". The organization will not purchase from disapproved suppliers.
80
Example 2: A Fortune 500 Automotive Supplier:
What to look for in a QMS
Quality Management System (QMS) enables a manufacturer to deploy supplier quality scores and use it as a
basis to categorize their suppliers, as a part of their overall supplier strategy. While evaluating a QMS, you
should look for the following four key capabilities within the system:
• Ability to configure the quality scorecard: The manufacturer should be able to easily configure the scorecard
capability within the QMS to add their own metrics with their own calculations and apply their own threshold
criteria for each metric (to show green/yellow/red status for each metric) without having to modify their
QMS system.
• Ability to see charts and details: The manufacturer should be able to configure the supplier scorecard
capability within the QMS to easily see trend charts for a metric, as well as, be able to drill down into the
details to better diagnose the issue without having to modify their QMS system.
• Ability to easily import information from other systems: The manufacturer should be able to easily import
relevant information from various homegrown systems with no hardcode programming into the QMS
scorecard module. This enables the manufacturer to quickly create scorecards and easily update them
when the source systems change, at a very low cost of ownership.
81
Ability to calculate quality score : The manufacturer must be able to apply their own model to calculate their
overall quality score without having to write custom software code within the QMS system. This is very important,
since the calculations and weightings evolve over time and the manufacturer need not have to bear the cost of
developing, testing and validating such changes to the QMS software on an ongoing basis.
Supplier quality scores, when implemented correctly, provide a very compelling tool to a manufacturer to
automatically and continuously measure the performance of their supply-base and to proactively work with
them to improve their capabilities. Without the right QMS product, these scores are created manually on
spreadsheets in many corporate quality organizations – a very manually intensive and error-prone process.
About MetricStream
management solution. Market leaders in industries as diverse as Automotive, High Technology, Consumer
Goods, Manufacturing, Pharmaceutical and Food Services use the company's solution. Developed from the
ground up using web architecture, MetricStream provides an integrated set of the following modules to drive
closed loop corrective actions and manage supplier quality
• CAPA
• Change Control
82
• Cost Recovery
• Supplier Quality Scorecard
83
Can't get budget approval for your Quality Management System?
Many quality directors have difficulty in getting capital budget approvals to acquire a badly needed Quality
Management System (QMS). The reason in most situations is that their justification approaches the system
benefits from a bottom-up operational perspective –the new system will provide a mechanism to achieve key
quality objectives such as issue tracking, developing and implementing corrective actions and reporting on the
key process improvement metrics.
While meeting these requirements enables an organization to standardize and automate its approach to quality
improvement, it does not bring to light the key quality related issues that the senior management worries
about. Such topics include
• Getting access to scorecards and dashboards to get unprecedented visibility into the supplier quality to
improve strategic supplier management
• Implementing a mechanism to measuring, monitoring and reducing cost of poor quality and cost of
compliance on an ongoing basis
• Gaining a framework to manage enterprise risk from poor quality & compliance
84
A justification for a QMS must address how the system will address three key issues – bottom-up operational
management, top-down risk and cost management and financial ROI. The following is a list of topics that a
QMS request-for-budget document should clearly address:
• Bottom Up: How will the system enable the company to automate their key quality improvement processes
including:
• Audits
• Inspections
• Issue tracking
• Corrective actions
• Supplier cost recovery
• Document control
• Reporting
• Top Down: How will system enable the company to implement the following:
• Supplier Scorecards and key metrics covered
• Measuring Cost of Poor Quality: Metrics, calculations and trends
• Operational Scorecards: Metrics and trends. (Tracking key quality metrics that our customers or
regulatory agency measure us by – so this exposes any potential future problems and enables
management to proactively address these issues to reduce risk. For example, if a manufacturer
wants to manage their customer risk, the risk scorecard will allow them to track PPM scores from
customer, customer CARs and their response/resolution time etc.)
• Financial Justification: What is the financial return from the system
• Total annual savings and NPV from quality system
• Total cost recovery savings and NPV
• Total savings and NPV from reduced scrap
• Total savings and NPV from reduced rework
• Total savings and NPV from reduced MRB inventory
• Total savings and NPV from reduced line shutdowns
• Total savings and NPV from improved equipment utilization
• Total savings and NPV from less expedited freight
• Total savings and NPV from reduced warranty, recall & returns
85
• Total savings and NPV from reduced inspections
• Total cost of the system (HW, SW, implementation, additional headcount to manage the system,
annual maintenance etc.)
• Average Return in # of months
A well framed 'request for budget' that addresses bottom-up operational needs and top-down management
requirements, along with well quantified financial justification will go a long way in satisfying all relevant
stakeholders to approve the funding for a Quality Management System.
86
Paper-based quality system is more costly than you think
Paper-based quality management systems are fairly common in mid-sized organizations. While such systems
can successfully manage product and process quality, they significantly increase the risk of cGMP non-
compliance at FDA-regulated organization. They also impede a manufacturer's ability to implement continuous
improvement initiatives. Such paper-based systems also become a bottleneck for companies experiencing
fast growth. This paper articulates various issues with paper-based quality management systems based on
research with quality management executives at mid-sized companies.
• Document Control: In a regulatory environment (or an ISO9000 environment), document control is a

fact of life. Any changes to a SOP need to go through a strict change-control process. In a paper-based
environment, there is little visibility into the status of documents in the review cycle. Quality managers
often have to walk from desk-to-desk to identify where a document is 'stuck' in the review cycle. As a
result, the review cycles can be long and unpredictable. Manual document control procedures can also
be more error-prone. Such issues may at times unknowingly compromise an organization's ability to
comply with cGMP regulations. They also make it difficult to implement continuous improvement initiatives
in a timely and predictable manner in an ISO9000 environment.
• CAPA management: In a paper-based system, lack of a reliable closed loop control makes it difficult to
ensure that the corrective actions were successfully implemented. As a result, cGMP compliance can be
unknowingly compromised. Without a clear visibility into the status of planned process changes, it is
difficult for quality managers to implement continuous improvement initiatives in an ISO9000 environment.
• Preventive Actions: Manufacturing organizations want to trend quality-related problems, proactively

identify potential issues and take preventive actions to address such issues before they surface. Preventive
actions can significantly reduce cost of poor quality in a manufacturing organization and can prevent
potential problems that can cause cGMP non-compliance. However, quality managers in a paper-based
environment can not easily trend problems. Hence they can not deploy such an important quality
management technique on a large scale.
• Metrics: The prevailing wisdom says what you can't measure, you can't improve. Paper-based systems
make it very difficult for companies to collect and review key operating metrics in a timely manner. Our
research with quality executives lead us to believe that in a paper-based environment, metrics are usually
compiled with a huge manual effort (over 15% of a quality engineer's time) and distributed on a fortnightly
or monthly basis with little drill-down capability for detailed causal analysis. Lack of metrics impedes their
ability to react to quality-related issues in a timely manner, leading to high cost of poor quality and high
cost of compliance.
• Cost of a paper environment: While paper-based systems may seem to cost less on the surface, there
is a huge amount of hidden costs due to the enormous amount of time the organization spends to ensure
document control, to chase down bottlenecks in document review and to ensure corrective actions were
implemented in a timely manner. From our research, a quality engineer typically spends over 35% of
87
their time on such activities - time that could be spent on higher value added activities for the organization.
In addition, lack of ability to identify preventive actions on a large scale, inability to ensure all corrective
actions are always implemented and poor visibility into quality-based metrics affects their ability to
significantly reduce cost of poor quality or cost of compliance. As a result, the hidden cost of a paper-
based quality system is very high.
An automated quality management system provides an organization with the tools to streamline the end-to-
end quality management process. With automated change control, the quality managers have visibility into the
status of any change request at the click of a mouse - who has reviewed the revised document, who is sitting
on the approval request and needs to be prodded and who else needs to review it. As a result, review cycle
time can drop by as much as 50% after the process is automated. Once approved, the new version automatically
replaces the existing version of the document making change control a very smooth process. The out-of-spec
problems, non-conformance issues and corrective actions are tracked automatically by the system. Users
have 100% visibility into non-conformance issues that have not been resolved or corrective actions that are
waiting to be implemented. An ability to look at all corrective actions for a process or a product in aggregate
provides quality engineers an ability to trend and proactively identify potential issues and design preventive
actions to address such issues before they surface. Dashboards and scorecards with up to-the-minute metrics
with detailed drilldowns are available to key stakeholders. As a result, the overall cost of poor quality and cost
of compliance reduces. Risk of non-compliance (and potential liabilities associated with it) is minimized.
88
Role of a Quality Management System in Six Sigma Deployments
Six Sigma is a disciplined, data-driven approach to improving product and process quality. Ever since Jack
Welch labeled Six Sigma as one of the most strategic initiatives undertaken by GE, it has seen its adoption
increase dramatically across the world. Enterprise quality management systems play a key role in the Six
Sigma deployments. This paper explains the role of such a system in the implementation of Six Sigma to
improve the order-to-delivery process at a manufacturing site.
Six Sigma Overview
The quality of a process is measured by its ability to consistently deliver products or services within the
specification limits. While a company can deliver a good quality product made using an inefficient process, it
comes at a very high cost. An inefficient process will generate an unacceptably high number of defects and
produce them with a level of variation that hinders the ability to predict process performance. The following
chart shows the defects per million and cost of poor quality at various sigma levels.
If a process is operating at Six Sigma, its variability is extremely low at 3.4 defects per million. At Six Sigma, the
company has a significant competitive advantage in delivering very high levels of quality (nearly zero defects)
at dramatically lower costs.
The methodology for achieving Six Sigma is an acronym called DMAIC. DMAIC stands for five interconnected
phases - Define, Measure, Analyze, Improve, and Control. DMAIC refers to a data-driven approach for improving
processes using Six Sigma Quality Initiative. In this paper a manufacturer applies the Six Sigma methodology
to improve the on-time delivery process. The details behind the various phases in the Six Sigma implementation
in this scenario include:
Define: In this phase the Six Sigma team develops a clear definition of the process sponsor expectations and
issues, as well as, the scope of the overall project. This phase requires the team to perform the following:
• Define the process to be improved by mapping the process flow in details
• Capture clearly the expectations of the process sponsor
89
• Define project boundaries - the stop and start of the process
Measure: This phase requires the Six Sigma team to capture the key issues associated with order-to-delivery
process data, as well as, key order-to-delivery metrics. The team uses the audit management capabilities in
their quality management system to audit the order-to-delivery process to better understand key issues. The
metrics are collected from various systems that touch the order-to-delivery process. The metrics form the
baseline for the process performance and help focus on key issues. The baseline metrics also enable the
team to quantify the improvements made to the order-to-delivery process at the end of the DMAIC phases.
The key steps in the phase include:
• Develop a data collection plan for the order-to-delivery process
• Collect data from many sources (systems and audits) to determine issues and core process metrics
Figure 1: Audit feature of the quality system allows the team to identify key expectations and issues
Analyze: This phase requires the Six Sigma team to analyze the data collected to determine the root causes
of issues and identify opportunities for improvement. Key steps in this phase include:
• Identify gaps between the current order-to-delivery metrics and goals
• Perform root cause analysis
• Identify corrective actions (CAPA) using technology and discipline
• Prioritize opportunities to improve
Improve: In this phase, the Six Sigma team implements the improvements to fix the problems and prevent
them for occurring in future. Six Sigma team uses the quality management system to closely track the open
corrective actions and to ensure that they are successfully implemented. The team also uses the quality
management system for document change control to ensure the new operating procedures and other documents
90
are in use. The steps in this phase include:
• Develop and deploy implementation plan
• Institutionalize the improvements through the modification of processes and structures (staffing, training,
incentives)
• Implement document change control to ensure process changes are followed
• Track and ensure closure of CAPA items
• Monitor corrective action effectiveness with real-time performance data and analysis
Figure 2: Use CAPA tracking to ensure that corrective actions/solutions are successfully implemented
Control: In this phase, the Six Sigma team ensures that there are controls in place to keep the improved
process on the new course. The quality management system allows the team to audit the order-to-delivery
process to ensure the improvements have taken hold to prevent the process from reverting back to the "old
way". The key steps in this phase include:
• Require the development, documentation and implementation of an ongoing monitoring plan
• Monitor order-to-delivery metrics and perform process audits to ensure improvements are here to stay.
Using DMAIC, supported by an enterprise-wide quality management system, a company can streamline their
order-to-delivery process and reap its rich rewards.
91

Best Practices in Quality & Compliance Management

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Best Practices in Quality & Compliance Management

Uploaded by

Copyright:

Available Formats

Best Practices

Overview of Impact of 21CFR Part 11 on Information Systems ............................................................................ 9

Best Practices in Internal Audit ........................................................................................................................ 12

Here comes TS 16949 ...................................................................................................................................... 15

Impact of Regulatory Compliance on Quality and Profits .................................................................................. 16

Incorporating Audits in your Operational framework .......................................................................................... 18

Incorporating quality into management style ..................................................................................................... 21

Managing Quality at Outsourced Manufacturing Operations ............................................................................. 22

Roadmap for compliance with 21 CFR Part 11 .................................................................................................. 24

Supplier Charge-backs ..................................................................................................................................... 29

Workplace Safety Compliance: The New Approach .......................................................................................... 35

Corrective Action (CAPA) Systems at Innovative Companies ............................................................................ 39

Ensuring Regulatory Compliance through Training and Certification ................................................................. 41

IT Systems Validation for Regulatory Compliance ............................................................................................. 43

Implementing a well designed audit program .................................................................................................... 49

How to build a Business Case for a Quality Management System ................................................................... 52

Raising your Audit Score through effective Document Control ........................................................................... 67

New User Access Requirements for 100% Compliance .................................................................................... 73

How to give a Quality Score to your Supplier .................................................................................................... 79

Paper-based quality system is more costly than you think ............................................................................... 87

Role of a Quality Management System in Six Sigma Deployments .................................................................. 89

Why System Validation?

Figure 1: Scope of 21CFR Part 11 Requirements Source: CGE&Y

What is System Validation?

Framework for System Validation

Figure 2: Change Control Process

Using a QMS system for Proactive System Validation

(Source - CGEY, 2002)

(Source - CGEY, 2002)

Attributes of a successful internal audit program

Five key activities in an internal audit

System Requirements for a Successful internal Audit Program

A successful internal audit program is critical to implementing an organizational discipline of continuous

(Source - Quality Digest, October 2002)

Reviews and Approvals:

Process Efficiency and Effectiveness:

So, what does it mean to be a more compliant or "quality-aware" manager?

cGMP – the basis for 21CFR Part 11

Why 21 CFR Part 11?

Software Requirements of 21 CFR Part 11

Scope of 21CFR Part 11 Requirements Source: CGE&Y

Building a Roadmap for compliance with 21 CFR Part 11

- Source Clarkston Consulting

Capabilities addressed by Quality Management systems include:

• Chemical Development, Medicinal Chemistry, and Analytical Departments.

• Manufacturing and Packaging facilities

• Analytical chemistry laboratories.

• Drug formulation facilities.

• Raw material supplier audits.

• Contract testing organization.

2. Eventual disassembly of the part

3. Administration to take the part out of stock

4. Quality department handling

5. Handling by the planner to get a new part

9. Attention from engineers

10. Packing and arranging transport back to the supplier

11. Invoice Handling

Quality is never an accident, it is always the result of an intelligent effort"

Occupational Safety and Health Administration (OSHA) Regulations

29CFR Part 1903 states that

Global Organizations Begin To Look for Next Generation Safety Solutions

• Developing an OHS Policy