Montrium Connect Compliance Concerns

Hello good people of the world! Today we’re talking about a specific Software-as-a-Service (SaaS) product: Montrium’s Connect. Montrium offers a number of modules in their Connect software (Document Management, Training, CAPA, Incidents, etc.) Today I’ll focus on the Document Management module.

What makes Montrium’s offering unique is that is it built on top of Microsoft Sharepoint. I previously talked about Sharepoint Online with respect to compliance concerns here (a little out-of-date, but still relevant).

The first point I’ll make is having the application built on Sharepoint brings some significant advantages and disadvantages. The primary advantage I see, in comparison with other electronic Document Management Systems (eDMS), is that Sharepoint uses Microsoft’s Office Online suite, and arguably the world’s best online word processor: Word. I am not aware of any online word processor as fully featured as this one. I have used other eDMSs that have their own word processor and having less features can be really frustrating.

That said, Sharepoint also brings it’s clunky user interface and outdated Active Server Page (.aspx) architecture. The application won’t feel as snappy as modern websites, and you’ll see page reloads for things that would be handled by a component re-render in more modern applications. Overall the application feels very slow. I found myself having to wait minutes sometimes for items moving through a workflow to pop up in my task list.

An example of Montrium / Sharepoint UI

The first thing that struck me with the compliance aspect of Montrium’s offering is that they have categorized their Connect SOP (which is the brand name for the Document Management Module) as GAMP category 3 software. GAMP category 3 is commerical-off-the-shelf (COTS) non-configurable software. I don’t know how they consider this software non-configurable, because there is a lot of configuration options that change how it functions, including workflows. This results in end-users not creating a configuration specification and not testing the configuration to their specific intended use. This could be a compliance risk.

Another thing I noticed is the audit trail functionality. There is no interface for audit trail, instead it is automatically exported a protected Excel file every 28 days. I find it strange that the audit trail would not be available in real-time, and think this could introduce some compliance risk. It also falls into the trap of including at least some non-human readable data. See the example below:

Audit Trail Example

So just a couple points of concern with Montrium’s Connect software in a regulated use case.

What has your experience with Montrium Connect been? What is your favorite eDMS? Comment below.

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Regulations and Guidance for Assessing a Computer System Supplier

Hello good people of the world! Today’s post is continuing the series on compliance in the cloud. Today’s post is a simple list of regulations and guidance that you can provide to someone who asks the question: why do we have to assess suppliers of computer systems/software? These are the reasons why!

FDA 21 CFR Part 820 Quality System Regulation (link)

Section 820.50 Purchasing controls

Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.

(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.

(3) Establish and maintain records of acceptable suppliers, contractors, and consultants.

EudraLex Volume 4 Annex 11: Computerised Systems (PDF)

Section 3 – Suppliers and Service Providers

3.2 The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.

3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.

3.4 Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.

Section 4 – Validation

4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.

ICH Guideline Q9 on Quality Risk Management (PDF)

II.4 Quality Risk Management for Facilities, Equipment and Utilities

Computer systems and computer controlled equipment

To select the design of computer hardware and software (e.g., modular, structured, fault tolerance); 

To determine the extent of validation, e.g., 

  • identification of critical performance parameters; 
  • selection of the requirements and design; 
  • code review; 
  • the extent of testing and test methods; 
  • reliability of electronic records and signatures.

II.5 Quality Risk Management as Part of Materials Management

Assessment and evaluation of suppliers and contract manufacturers

To provide a comprehensive evaluation of suppliers and contract manufacturers (e.g., auditing, supplier quality agreements).

ICH Guideline Q10 on Pharmaceutical Quality System (PDF)

Section 2.7 Management of Outsourced Activities and Purchased Materials

  • Assessing prior to outsourcing operations or selecting material suppliers, the suitability and competence of the other party to carry out the activity or provide the material using a defined supply chain (e.g., audits, material evaluations, qualification); 

ICH Guidance E6 on Good Clinical Practice (PDF)

Section 5.5 Trial Management, data handling, and record keeping

5.5.3 When using electronic trial data handling and/or remote electronic trial data systems, the sponsor should: 

(a) Ensure and document that the electronic data processing system(s) conforms to the sponsor’s established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e., validation).

That’s it! Are there any I missed? Comment below!

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!