by Tamar M. June

Web-based software solutions are changing the landscape of today's business environment. Most enterprise-class software applications (ERP, CRM, supply chain management, etc.) already utilize Web-based technologies to take advantage of the Web browser's ubiquitous presence and ease of use. However, the adoption of these technologies in the quality assurance realm has taken somewhat longer.

 Today, only a few corrective and preventive action systems provide true Web-based technology. These systems should not be confused with "Web enabled" implementations that simply apply a Web interface to an old and limited technology platform (e.g., client/server). Often these short-sighted "me too" products are limited in functionality; are difficult to install, maintain and use; and dramatically increase the total cost of ownership. A brief examination of the history of these technologies will make the differences more clear and poignant.

Client/server vs. Web-based systems

 During the 1980s and 1990s, client/server technology was often promoted as the best solution for managing information within the organization. However, by the end of the '90s, information technology began to dramatically change as progressive companies realized the need to share information with customers, suppliers and strategic partners outside the organization. Information systems utilizing innovative Internet-driven techniques became the cornerstones of increased productivity and efficiency, greatly responsible for the astounding economic growth of the mid- to late '90s. By leveraging the use of a simple Web browser, companies began to realize that not only could information be shared easier and faster, but the cost of implementing and maintaining Web-based systems was actually lower.

 Traditional client/server technology required application-specific software to be installed and configured on all end-user (client) computers. The installation process often took months, costing tens or hundreds of thousands of dollars. Expensive high-bandwidth connections were required for each client computer. And, when a software update was made available, the entire installation process had to be performed all over again.

 In contrast, the typical home or work computer already has all the software it needs to utilize a true Web-based software system: a Web browser. Client installation costs are zero. And software updates are deployed only on the server, so client computers never need to be updated. Properly designed Web-based systems provide good performance, even when used over inexpensive dial-up connections.

CAPA and the Web

 In the past, CAPA systems were a small part of the overall manufacturing process, isolated primarily in the quality control departments. The ever-increasing demands for real-time information and analyses, and the need to involve customers and suppliers in the quality assurance process, have caused organizations to refocus their efforts to include Web-based CAPA systems within their core information system infrastructure. By doing so, an entire organization is able to respond to critical situations within minutes or hours, rather than days or weeks. Issues can be identified, analyzed and addressed from any location. Additionally, queries and other analytical tools embedded in the CAPA system greatly reduce the amount of time required to identify root causes, thereby solving problems faster.

 In today's litigious society, product safety and quality issues are more important than ever. Recalls and lawsuits can cost hundreds of millions of dollars. CAPA policies and procedures should be designed to ensure that a product quality issue is identified and resolved as quickly as possible, and to ensure containment of other affected parts and components until root causes are identified, and corrective action is taken. Including suppliers in the CAPA process may be vital to success, and critical for liability minimization.

 When choosing a Web-based CAPA system, look for the following:

  True zero-client, Web-based architecture. Can the system function on client computers running any operating system without requiring plug-ins or other software for inputting, viewing and querying data? Can you or your administrators perform all functions from the Web browser, including designing forms and workflows, and setting up new users?

 If not, the system is likely Web-enabled instead of Web-based. Remember, Web-enabled systems add a thin Web interface to an outdated client/server core, quite literally as an afterthought. Web-based systems are constructed from the ground up to function natively on the Internet.

 Only a true zero-client (i.e., browser only) system will operate free of headaches with the lowest total cost of ownership. If plug-ins or other client software are required, you must ensure that all computers have the required software properly installed and configured, are up to date and meet higher standards that may preclude usage by desired participants. A true zero-client, Web-based architecture will work flawlessly on any type of computer or Internet appliance, across all types of operating systems and platforms including Windows, Mac, UNIX, Linux, Solaris and Palm. Are you really free to dictate the specific type of computer systems that your key partners and suppliers must run, as they must be configured? Probably not.

 The use of scripting languages (e.g., Java script) or client-side components such as ActiveX controls not only limit compatibility but can also lead to performance, reliability and security problems. For example, systems that utilize Java script literally transfer program source code to the client computer with every page, increasing load times. Users are free to view this source code, potentially gaining intricate knowledge (e.g., security mechanisms) that you would prefer they didn't have about your system. Furthermore, the client computer must interpret and execute the source code precisely as the CAPA system designers intended, or errors and malfunctions can occur. If you've ever encountered a "script error" while browsing the Web, you have experienced this first-hand. Such errors may be benign, or they might lead to data corruptions, security breaches or other serious problems. Simply installing or uninstalling an unrelated software program can cause the source code to be interpreted in a different way (or not at all).

  Configurability, customization and API. Can you easily configure and customize forms, fields, workflow and security settings to suit your organization's needs? Can you easily implement your own business rules? Does the system include an open, standards-based application programming interface that's usable in any software development environment? Or are you stuck with limited configuration screens and a proprietary internal scripting language? Most important, can you do all of this yourself, or does the system provider have to be involved? Costly customizations might leave you with a difficult-to-support "one off" system that may no longer be upgradeable.

  Flexible and robust integration with other information systems. Make sure that the CAPA system you choose is capable of easily integrating with other information systems already installed in the enterprise, whether they are Web-based or not and regardless of manufacturer (including custom systems developed in-house). This can eliminate costly double-entry, ensure data quality and provide exceptional ease of use and convenience. For example, the system should allow part numbers, supplier names or any other data (or combinations thereof) to be validated against master data in external systems before the information is allowed to enter the CAPA system. Or, the system should allow a user to click on a customer or supplier name and retrieve current and relevant details from master data stored outside the system, regardless of its native format. Similarly, external systems such as manufacturing execution systems or automated test systems should be able to add, edit, query and analyze data in the CAPA system.

  Reporting, analysis and business intelligence tools. Look for systems that allow you to utilize your current reporting/business intelligence system, without being locked into one that the manufacturer chooses for you. Business intelligence tools are already an expensive investment, so why not take advantage of the tools you're already familiar with? You should be able to seamlessly link your CAPA system with these tools, so that detailed reports and graphs are only a mouse click away. In addition, make sure your CAPA system is able to query by each and every field in your forms. Some don't allow this, which severely limits your ability to perform trend analyses, identify root causes, etc.

  Bullet-proof security. Extensive security features should be key components of every CAPA system. You should be able to limit the access of users, departments or groups down to the field or record level, using any criteria you can imagine. Configurable minimum password requirements and maximum session durations are mandatory requirements, and support for "secure sockets layer" communications and network authentication systems (e.g., NT authentication) is highly desirable. A robust CAPA system should also be capable of automatically detecting and thwarting repeated attempts to gain unauthorized access, and notify system administrators immediately when this threat occurs.

  Extensible to suppliers, customers and business partners. Your external business partners already own a Web browser, which is all the software they need to participate in your quality improvement programs. A CAPA system should be able to tailor the functionality available to each user by setting access permissions, record and field level security. Your external partners can then see and do only what you want them to. Your Web-based CAPA system should be securely available anywhere, anytime an Internet or intranet connection is present.

  File attachments and links. CAPA records often reference documents, URLs, photos, drawings or other materials. CAPA systems that offer the ability to attach such files to a record and store them securely within the database—and track any changes to those documents—are ahead of the game. Beware of systems that store attachments separately on a file server, allowing anyone with network access to freely modify or delete the attached documents without even logging in to the CAPA system.

  Universal e-mail integration capabilities . Does the CAPA system you are evaluating require a particular e-mail system, or can it integrate with any e-mail system, including the one that you currently use? Companies often migrate from one e-mail system to another over time, and the CAPA system should not inhibit migration or (worse yet) become obsolete when the migration is made.

  Unlimited automatic notification and escalation rules. In your CAPA system, you should be able to define any number of rules to ensure that issues are addressed in a timely manner. For example, you may wish to have users automatically reminded of impending due dates via e-mail and urgently informed when their tasks are late, and finally escalate the tasks to management when they become critically overdue.

  Beware of "modular" products . Many companies offer modular software products that require a minimum set of modules to be purchased (which you may otherwise have no interest in owning) just to allow the actual CAPA module to function. Avoid buying software that you don't want or need. Look for CAPA systems that are robust and self-contained, yet still offer the flexibility to integrate with the other best-of-breed software systems that you already have or plan to acquire in the future.

  21 CFR Part 11 compliance for FDA-regulated companies. If you are in an FDA-regulated industry such as medical device/diagnostic, biotech or pharmaceutical, it's essential that your CAPA system fully comply with 21 CFR Part 11, governing electronic records and electronic signatures. For example, the system should include a secure, time-stamped audit trail that enables authorized users to view all past versions of issues, actions and attachments in their entirety. Electronic signature implementation ensures that signatures can only be applied by their genuine owner. For more information on 21 CFR Part 11 requirements, visit www.fda.gov .

  Scalability. Look for systems that are designed to easily grow with your needs in a cost effective manner. High-volume reliable Web sites such as Amazon.com and Microsoft.com are designed to "scale up" simply by adding additional servers as usage increases. Your CAPA system should be similarly designed and have no limitations on how large it can grow. Also, ensure that your CAPA system runs on a robust database system, such as Microsoft SQL Server or Oracle 9i.

The Web-based wrap-up

 Web-based CAPA systems provide myriad benefits, including ubiquitous access, ease of installation and use, faster identification of root causes, and lower total cost of ownership. Choosing an optimal system requires understanding the architectural differences between true Web-based systems and those that are only Web-enabled. This knowledge, coupled with a requirements list that anticipates future business requirements and technological evolution, will allow anyone to select, evaluate and implement a critical and strategic quality assurance tool that will provide benefits well beyond these first few years of the 21st century.

About the author

 Tamar M. June is director of marketing at AssurX Inc., a software company that provides CAPA systems to a variety of industries, including medical device, pharmaceutical, semiconductor, aerospace and contract manufacturing. She has spent the past 16 years in both manufacturing and information technology. E-mail her at tjune@qualitydigest.com . Letters to the editor regarding this article can be sent to letters@qualitydigest.com .