ASQ WCQI 2023 – Member Leader Day

ASQ WCQI starts with Member Leader Day, the one time a year when we actually get the chance to get a large group of member leaders together.

The ASQ continues to grapple with demographics, and I would love to see the demographics of this group of member leaders. Given that 76% of member leaders joined between 1970 and 2020. I would love to see that a little more granular by decade.

I know that the divisions send 2 members each, but I am not sure what sections are allowed for conferences and travel. Given the huge amount of sections compared to divisions, I would not be surprised if there is a different dynamic. If so, then that would skew the demographics even more.

We made it 12 minutes before the membership challenge was brought up. The value of a professional association remains critical to my mind. I feel that a lot of folks in my own organization don’t see the value, let alone among the wider professional group (and I pay for an ASQE membership as well as a few others for people to take advantage of).

Stephanie Gaulding then presented a diversity moment drawing from a post Belonging: A Conversation about Equity, Diversity, and Inclusion.

Diagram from Turner Consulting Group 

We then did a brainwriting activity (yes!) on “What is one thing we, as ASQ, Member Leaders, can do together to increase the Society’s value to our members?”

Our table consolidated around push vs pull communications and the value of a personal connection. Other tables talked about entrepreneurship (overuse of the buzz term if you ask me); student organization connections; the value of fun.

I look forward to seeing the full list. More importantly, I would like to see the follow-up. Aspirational activities often end up being just that, with little follow-through.

The CFO then discussed the “Short Term Fixed Income Investment Fund” which seems more directed to the Sections (which seem to sit on a lot of than the Division. Given that on the Division basis, it usually feels like a total lack of money, not sure of the value of this. I definitely zoned out.

And then we got the 3+ year debate on Division funding grumbling through the Q&A. Only took 40 minutes.

We then broke into Geogaphic Communities (the sections) and Technical Community (the divisions). I went to the technical meeting, as I am currently serving as chair-elect of the Food, Drug, and Cosmetics Division.

One can take, from posts like ASQ Technical Forums and Divisions as Knowledge Communities and my thoughts from the 2022 Member Leader Day that I have struggled over the years with the concept of the technical community (divisions). For all the changes happening in the ASQ, blowing up the technical communities would be my favorite thing to happen.

As an aside, the tendency to focus on longevity as a member leader may be counterintuitive to our desperate need to have new member leaders get more engaged.

Scholarship and Donations (including Sponsorship, Grant, and Honorariums) have been a source of discussion for years. Well overdue in having a procedure for this.

It is always embarrassing when folks ask where to find operating procedures. Document/Content management is a core part of the Quality profession, and the fact member leaders continue to complain they aren’t aware of procedure and do not know how to find it is a black mark.

Way too much time spent on scholarships, it is a small segment of our work yet something we discuss a lot. Not even sure why this is such a hard matter, every kid going to college I know uses CommonApp Having 2 kids currently in college I got to know CommonApp really well). Put the scholarships in that, go from there.

And then myASQ was the topic. Same old topic, new platform. I haven’t had a chance to use the new platform that went live on May 1st. Frankly, my.ASQ has never been part of my daily or weekly internet diet, and often my engagement was driven by folks tagging me and me seeing an email. Hopefully, it will be easier to use and drive more content and discussion. Driving engagement is so critical. And at its heart lies the problem core to a lot of ASQ activities, poor communication.

Communication is a theme throughout today. It is a return to fundamentals around communication plans.

Four board initiatives:

  • Quality 4.0
  • Economic and Environmental Sustainability – this is a hard one for me. I agree we should be discussing, but in every organization I’ve been in, Quality is not welcome at this table.
  • NextGen Mentoring
  • Conference/Event Improvement

Financial Update – everyone’s favorite topic! At the end of the day, the membership cliff means everything to the budget (and lack thereof)

I am becoming more and more convinced that the individual membership model is dead. Individuals cannot afford and do not see the value of paying for a membership, so the only way to get members is to make organizations see the value. And there’s the challenge.

Congratulations to all the member units who won Performance Excellence Program (PEP) awards.

I would like to state that any rubric that is secret is not really a rubric. Also, secret scoring mechanisms may be antithetical to quality principles. Make that PEP rubric public!

myASQ Engagement

I worry that myASQ continues to falter because it is viewed as a social medial tool instead of a knowledge management tool that drives communities of practice. That said, this transition has been driven more by member leaders than past attempts, which makes me feel positive that it will meet some unmet needs.

Like a lot of things, a few more tools like job aids would be greatly appreciated.

ASQE Insights of Excellence and the Quality Body of Knowledge

I am so excited we have moved this ahead. I participated in developing this tool and seeing where it is going excites me so much. So much that this will be another post later this week.

Wrap Up Thoughts

I am so done talking about the impact of the new membership model and whether or not member units were ripped off. And the spin off of the ASQE. And the debacle of the first launch of myASQ.

I want to focus on QBoK and member value realization and how the future is in organizations and not individual members. And doing cool things like poster sessions and a few other ideas in the works as I do the 2nd half of my chair-elect term and gear up for my term as chair of the Food, Drug and Cosmetic division.

I have so many thoughts on IoE and QBoK that will definitely be a separate post. Probably after the ASQE meeting on Tuesday.

BOSCON 2023- Nov 6&7-Call for Speaker

41st Annual Quality Conference BOSCON2023 

Gaining the Edge and Increasing Confidence

Call for Speakers!

Share your knowledge and experience with your peers!

Proposal Deadline:  August 15, 2023

About the event

BOSCON is a key event for local, national, and international quality professionals to hear speakers discuss different quality topics and network. Each year hundreds gather at this BOSCON quality conference to share best practices, expand their network, and further develop their professional and personal growth from experts and professionals in multiple quality related fields. This year BOSCON 2023 will be held on November 6th and 7th, 2023.

We invite you to join us as a key contributor to the success of the 41st BOSCON Quality Conference hosted by ASQ – Boston. It encompasses two days of presentation by the most knowledgeable and innovative quality professionals at all levels.

Presentations will be offered in 4 tracks:

  • Technology and Innovations
  • Quality and Regulations for Lifesciences
  • Quality Tools and Continuous Improvement
  • Reliability, Maintenance & Managing Risk

Format

Presentations must be 50 minutes plus up to 10 minutes of Q&A.  Presenters must be on site and receive free admission to the conference, the Exhibitor Hall, keynote addresses, and lunch.  The Conference Committee will evaluate all proposals, but there are only 12 time slots available each day.

Key Dates  

  • August 15th: Please complete the form below and submit to dmanalan@memberleader.asq.org and srane@memberleader.asq.org and no later than August 15th 2023. 
  • September 3rd: Applicants will be notified if the submitted proposal was accepted, confirmation requires a signed speaker agreement.  
  • September 15th:  Sign speaker agreement and submit. 
  • October 8th : Submit final set of slides by October 8th. ​

Speaker Proposal Form

1. Title: (Max 50 characters)

Provide a clear and concise title to list and publicize your presentation.  Consider including a tag line, e.g. – “Raising the Bar to Excellence – a CAPA journey.”

2. Description: (Max 100 Words)

Show the prime focus of your presentation and what the attendee(s) will learn.

Provide a short description of your session that will be posted on the conference website and distributed electronically to registrants.  Consider identifying the intended audience (Management, Engineers, Quality Professionals, etc.) and what they will learn.  Think of this as an advertising blurb to capture people’s attention and make them want to attend.

3. Session Abstract(s): (250-300 Words)

Please provide a more detailed overview of your proposed presentation for inclusion in the conference materials.  Abstracts should include the following:

  • Introduction of the topic, including context and background (don’t repeat the Description above)
  • Objectives in terms of what you intend to communicate; what problem(s) are you addressing?
  • Approaches you intend to use to get your message across, e.g. – case studies, data analyses, tips & tricks, etc.
  • Key takeaways the audience should expect to learn.

4. Biographical Sketch: (150-200 Words)

Please provide a summary of your career and credentials for publishing in the conference proceedings.  This information should be composed from the third person perspective.  You may also include a link to your LinkedIn profile or website.

5. Contact Info & Credentials:

Name, address, email, phone, organization, title, and LinkedIn profile link.

6. Additional Info:

Anything that may increase the value or credibility of your proposal, for example, presenter’s relevant credentials or experience in the related field, etc.  If the proposed or similar presentation has been presented in another venue, preferably a national venue, it will add to the credibility and interest to our audience; if the organization or the presenter has won relevant industry recognitions, such as awards or press citations, this will be of benefit in attracting attendees.  Attachment of your presentation or an outline slide is welcome. 

Please submit proposals to dmanalan@memberleader.asq.org and srane@memberleader.asq.org  
not later than August 15th, 2023.  

For general questions about the Conference, please email srane@memberleader.asq.org

Encouraging New Speakers

I would like encourage new speakers at BOSCON, and at ASQ events in general. I will make myself available to assist and coach individuals who want to speak. I will help you refine your proposal, review and propose edits to your slides, and do some speaker coaching. Let me know if you want some coaching through this blog’s Contact or on LinkedIn.

Business Continuity Planning

The pharmaceutical regulations call, repeatedly for business continuity plans. For example, the FDA calls for fairly significant requirements for Medically Necessary Products:

Medically necessary drug products and their components are manufactured all over the world. An emergency situation anywhere in the world thus might affect the availability of drug products in the United States and result in drug shortages. Emergency preparedness for situations that could result in high employee absenteeism is an important goal for manufacturers of drug products and their components. For example, in an influenza pandemic, widespread human outbreaks of illness would be expected in the United States and around the world, resulting in widespread high absenteeism that could hinder normal production activities and cause shortages in the supply of drug products, packaging materials, and drug components. It is therefore vital for industry to prepare before an emergency situation occurs and to develop plans to ensure continuity of operations during emergencies (including, for example, an influenza pandemic, natural disaster, or personnel issue) that would prevent a significant portion of the work force from reporting. It is especially important for manufacturers of finished drug products to be aware of their suppliers’ and contractors’ responses to personnel shortages and, when appropriate, work with them to ensure the availability of high quality materials and services that contribute to the manufacture of MNPs.

FDA, Guidance for Industry Planning for the Effects of High Absenteeism to Ensure Availability of Medically Necessary Drug Products

You can find less definitive requirements throughout the various health authorities’ regulations and guidances.

So what do we mean by business continuity?

Business continuity is the holistic management process that ensures operations continue and that products and services are delivered at predefined levels (e.g. no shortages, no halt to an ongoing clinical trial). This approach is aligned with ISO 22301 Business Continuity Management Systems.

Business continuity management is an ongoing process based on the plan-do-check-act methodology that is made up of 4 key elements:

  • Emergency Action and Response Plans
  • Disaster Recovery Plans
  • Crisis Management Plans
  • Business Continuity Plans

Emergency Action Plans

An emergency action plan is designed to respond to an emergency with mitigating procedures to protect, secure and evacuate people to safety. This is more an OSHA thing; chances are your average Quality unit doesn’t end up owning it. Unless you have no HS&E unit, and then you write one.

This plan includes procedures for detecting, warning, and responding to specific potential emergencies such as fire, severe weather, earthquake, medical emergencies, workplace violence, and other potential threats.

Disaster Recovery Plan

Disaster recovery plans are designed to recover from a disaster, usually related to equipment, infrastructure, and information technology. Something big goes boom, how do you restore this vital support system or equipment as soon as possible and minimize downtime and loss of data. Very important for computer system lifecycle, disaster recovery plans should include specific plans for recovery functions, resumption strategies, critical personnel, equipment, services, and external and internal communications.

Crisis Management Plans

Crisis management is all about planning and mitigating situations that have risk, and are usually a lot of management of communications internally and externally. This includes with regulators, health care providers, etc. When we implement SOPs for health authority notifications we are engaging in crisis management planning.

Business Continuity Plans

Business continuity planning identifies and plans for disasters to events that could negatively an organization’s business functions, objectives, income, reputation, and ultimate survival. This planning takes place in advance of the potential disasters or events that could harm an organization. It takes potential disasters and events into consideration with their effects on suppliers, vendors customers, and the organization’s other stakeholders.

In a GxP environment, we are looking at the potential impact of disasters on drug supply and clinical study outcomes (amongst other key activities).

The BCP is all about minimizing the effects of the disaster or event on the organization and returning to normal operations as soon as possible.

These Plans are Interrelated

All four plans are interrelated and should be coordinated. The plans can be combined, but as there are usually very different owners they are often separated.

Documented Plans

The business continuity planning process should result in formal, documented plans that serve as a reference guide in the event of a disaster or event. The existence of the business continuity plans should be well communicated, with individuals with responsibilities having ready access and additional training.

Applying the Risk Management Process

The Business Continuity process should leverage existing risk assessments and sit around it.

Select Team

The team should be multifunctional and very knowledgeable about the organization’s business and the risks it faces. This should be a permanent team, not ad hoc, as this is a living process. You can always bring in ad hoc members for specific questions.

Define Context, Purpose, Scope

At a minimum you are tackling the disruption to product supply and cessation of critical GxP data but there may be other business requirements to tackle. Make sure everyone agrees on these.

Define Terminology

Make sure everyone is on the same page with just what disaster, event, crisis, stakeholder, and business continuity plan (and other important concepts) are.

Agree on the scales for likelihood and severity.

Critical Function Assessment

Identify the business functions that are sensitive to downtime, fulfill regulatory obligations and are vital for maintaining product supply.

Threat Assessment

Identify the threats to the performance of the critical functions.

Identify Hazards and Risks

There are three major categories of hazards:

  • Natural Hazards
    • Meteorological
    • Geological
    • Biological
  • Human-Caused Hazards
    • Accidents
    • Intentional acts
  • Technological Hazards
    • Information technology
    • Utility
    • Fire/explosion
    • Hazardous material
    • Supply Chain interruption

Utilize a risk matrix to assess the likelihood and severity of the identified hazards and risks.

Develop Business Continuity Plan(s)

After the hazards and risks have been identified, the impact understood and the risks assessed it is time to develop the business continuity plan (BCP). The BCP allows the organziation to survive the event or disaster with minimal disruption. The BCP focuses on mitigating the consequences of the event or disaster that could not be prevented. Recovery strategies for these cosnequences are determined, developed and become part of the BCP.

When many potential risks have been identified, use the risk score to prioritize.

BCPs cover management commitment, team ientification, team responsibilities, mitigation plans, recovery strategies, training, testing and evaluation and continious improvement. Basically the same thing any good plan does.

Mitigation plans are intended to lessen the negative effectis of an event or disaster.

Provide appropriate awareness training to everyone impacted, with more substantial trining to the BCP team.

Verify it periodically and ensure it is continues to be relevant.

Whenever relevant, procceduralize these BCP instructions.

ASQ FD&C Boston Poster Session – 13Jun2023

The next ASQ Food, Drug, and Cosmetic Division Boston area poster session will the 13th of June from 3-5 pm, hosted graciously by Veeva Systems. The plan is to co-host this event with the Boston section.

The theme for this session is “A challenge in your QMS you found a solution to (and how)” so start working on your posters. Let us know your plans here.

As a reminder, we will be hosting a May session with the Princeton Section. Looking for poster ideas!

Password Manager Applications and Data Integrity

I recently ran into a scenario where password manager apps are used as solutions (?) in generating complex passwords and to keep login information private and secure. I am wondering what your thoughts on the use of apps to store and auto fill passwords to GxP system, especially with respect to access restriction requirements and data integrity. Any validation requirements, etc?

Asked by a colleague

Passwords are horrible, with numerous problems, both from a security and a usability standpoint. Companies often talk about vulnerabilities, external (like phishing) and internal (like fraud), but there are a host of issues from the user’s end. Often, users have to create dozens of passwords for different accounts, leading to frustration and lost productivity around authentication.

So either the user keeps the same password for multiple sites and applications, which is a major security issue, or they diligently create new passwords for each and every account and promptly forget them.

We should be looking to create organizational policies based on facts with a good reason as to why. Don’t make employees stick to outdated security policies. They are less likely to buy into the program, which in itself can have adverse results on governance aspects. In this case, users expect to be able to use password managers so make it possible.

People are using password managers in your organization, probably through the very browser you are reading this. There are two major categories of password managers:

  • Browser-based password manager. These are the systems that come automatically attached to browsers or software that’s downloaded to your computer or network. Chrome, Edge, etc.
  • Password management app is a type of downloadable software that uses encryption to store your credentials safely and securely (most of the time).

There is a lot written on this from the cybersecurity position by people a whole lot more knowledgable than me, so I will focus on the data integrity side of things.

There are three primary requirements here that can be distilled from the key guidances:

  • Establish and maintain organizational, procedural, and technical controls to minimize the risk of unauthorized or inadvertent access to computer systems data and records.
  • Manage role-based system access for users and system administrators, including segregation of duties.
  • Establish manual and automated monitoring of computer systems and environments to identify and respond to potential vulnerabilities and intrusions.

Like everything, the amount of effort here is a risk-based approach depending on the regulated processes, records, and data in the system, and whether the system is externally facing – and remember all your cloud applications are externally facing!

Start by evaluating the Information Security Management System (ISMS) as defined by ISO 27001. Many of the requirements in ISO 27001 overlap with the expectations of a GxP system, so it is important that there be one cohesive approach in the organization (and yes that means your ISMS is fully GxP).

Set Organization Controls for the following:

  1. What password managers are allowed. Make it easy and everyone will use it. Also makes it easier to maintain. Restrict a bring-your-own-app approach.
  2. Strengthen your password requirements. 13+ characters, no repeats (also a possible technical control once you’ve taken this route), etc.
  3. Ensure compliance with the NIST SP800-63b password guidance and the latest version of the German IT-Grundschutz Kompendium of the Bundesamt für Sicherheit in der Informationstechnik (BSI)
  4. Educate, educate, educate

It is important to recognize the difference between dedicated laptops and shared machines. Especially if there is a station that does not have the capability to recognize different users. In these cases, password managers require additional controls, up to being shut off and prevented from use. I cannot stress this enough, a password manager on a shared machine is asking for trouble so treat it with the attention it deserves.

Test your selected password manager(s). Most of your testing will be acceptance of the provider-provided package, but you will want to conduct a nice compact qualification. Test it with GxP systems. This will look a lot like whatever testing you do for a SSO application.

Ensure that the right periodic vulnerability testing exists.

In this day and age, password managers are going to be used. Be aware of the risks and ensure the appropriate processes are in place to manage them.