EPCS Pharmacy Certification Capability Statement
iBeta Electronic Prescribing of Controlled Substances Certification Process
iBeta Company Background
iBeta is a privately held Limited Liability Company. Certified by the National Minority Supplier Development Council, iBeta is a Minority Business Enterprise (MBE – RM0152). iBeta has provided a full range of quality assurance testing services to clients in North America, Europe, Asia, and Australia since 1999.
iBeta built each client relationship by focusing on delivering solution based services that produce rigorously tested products on time and within budget. Quality and value are the key expectations of all of iBeta’s clients. As a result of iBeta’s focus on client satisfaction, iBeta maintains a 90% repeat business ratio after working with hundreds of clients.
iBeta, located in Aurora, Colorado, operates a fully staffed 40,000 square foot test facility supplied with the materials and equipment needed to fulfill the certification test services being proposed. As a privately held company, iBeta pledges that we have the necessary financial wherewithal to complete this project.
iBeta is nationally accredited as a test lab by the National Voluntary Lab Accreditation Program (NVLAP) to the requirements of ISO/IEC:17025 (General requirements for the competence of testing and calibration laboratories).
- In 2007 iBeta was accredited by the Election Assistance Commission as a Voting System Test Lab (VSTL). The VSTL test efforts are parallel to the IV&V test efforts defined in IEEE 1012-2004 Software Verification and Validation.
- In 2011 iBeta was accredited by NIST under the National Voluntary Laboratory Accreditation Program (NVLAP) for Biometric Testing.
iBeta Consulting and Certification Process
iBeta Quality Management System
The iBeta Quality Management System (QMS) has been audited and accredited to be in compliance with the ISO 17025 requirements. The QMS consists of the Quality Policy and Quality Procedures.
iBeta has submitted to the DEA and received approval of the following Certification Procedures and Templates, and maintains these templates and their corresponding vendor specific versions under a version control system:
List of DEA Approved EPCS Test and Certification Procedures and Templates
- DEA-EPCS Security Assessment Procedure
- DEA-EPCS Assessment Template
- DEA-EPCS Test Case Template
DEA EPCS Certification Report
- DEA-EPCS Certification Test Report Procedure
- DEA-EPCS Certification Test Report Template
In addition, for the EPCS Certification Consulting and Test Effort, the following standards are utilized as applicable:
- NIST Special Publication 800-53A
- 21 CFR Parts 1300.03, 1305, 1306, and 1311
Pre-Certification and Auditing Services
iBeta can provide initial pre-certification services as well as auditing to provide certification to the DEA EPCS regulations described in the Interim Final Rule of March 31, 2010 and the Clarification of October 19, 2011 (hereafter referred to as ‘regulations’).
iBeta may consult with the software development team to upgrade their pharmacy software to comply with the DEA EPCS regulations.
Deliverables from these pre-certification services may include discrepancy reports. Consistent with the NVLAP accreditation, iBeta produces an Excel spreadsheet containing line item summaries of findings of discrepancies between the tested application and the requirements. The discrepancy report is used in our procedures to track the findings to closure. Once all discrepancies are closed and the software is fully functional, then it is capable of passing an audit.
Other deliverable may also include daily or weekly status reports, a requirements to test matrix, test cases, and a final report with opinions and recommendations.
The pre-certification services are on a time and materials or fixed price basis and provide as much or as little support as requested by the vendor. There are a number of tasks that iBeta can perform to aide in the preparation for a certification audit during the development phase. These services may include:
- Receive and review documentation
- Review developer test plans and test cases
- Receive Pharmacy Application
- Prepare Test Cases as necessary
- Monitor developer testing
- Generate Discrepancies or Gap Analysis of current or proposed application against the DEA EPCS Pharmacy regulations
- Receive updated application
- Retest assess identified gaps
- Iterate through process until candidate application is read for certification
- Issue a regulation to test matrix that contains the DEA EPCS regualtions that are specific to the vendor’s pharmacy application
- Issue a pre-certification letter that documents the gaps identified and the resolution of those gaps
iBeta will audit the application and produce a report certifying the software version to be compliant to the regulations. Per the regulations, applications can only be used to prescribe or dispense controlled substances via electronic prescriptions if the application has been audited or certified to meet the regulations.
iBeta will audit the overall application to validate that it meets all requirements and produce a Report of Compliance and Certificate. The Certificate contains information sufficient to uniquely identify the application version and the date of compliance. As per the regulations, this certificate is valid for two years or until the application is changed, whichever comes first. The Report of Compliance may contain caveats to the compliance because; for example, it may meet the overall requirements for most schedules of drugs, but might not meet them for some specific instance which would be noted in the report (note that generally these exceptions occur on the prescribing side and not on the pharmacy side, so it is unlikely that any exceptions will occur for a pharmacy application).
The regulations require that an audit occur whenever the application is altered or every two (2) years, whichever occurs first. iBeta may also be contracted for future audits of the application(s).
The estimated period of performance for the Audit is one week for Audit preparation which can begin with the receipt of the application documentation followed by 2 weeks of Auditing and an additional week for Report of Compliance and Certification. The Audit Tasks include:
- Receive and review documentation
- Prepare Test Cases – typically for a pharmacy application, 3 functional test cases and 2 static test cases are tailored to the certification candidate
- Prepare Test System (test system must submit electronic prescriptions to pharmacy application) Deliver Test Cases to vendor
- Commence Validation Testing either with the vendor, with access to the application candidate, or on-site
- Generate Discrepancies if failures are encountered
- Assess impact of discrepancies – either testing may resume once the discrepancy is corrected from the point of the failure or regression testing may be required
- Complete Testing and document how the certification candidate meets each DEA EPCS regulation
- Produce Report of Compliance and Certificate of Compliance
iBeta receives and reviews the vendor documentation to the extent it exists prior to generating any necessary test cases. Ideally, iBeta receives the pharmacy application and any associated test jigs or test software prior to generating test cases. Given this review, iBeta uses its requirements template to determine if a requirement can be tested in a few steps and adds those steps to the template. If more than a few steps are required iBeta generates or adds steps to a test case.
iBeta executes test cases and generates discrepancies between the expected (required) response and the observed response. Test cases are generally completed unless there is some catastrophic or dependency failure which prevents continuation of the test case after a discrepancy point (some groups of steps may be skipped because an entire set of functionality is missing).
iBeta will produce a certificate of compliance report.
The full report of compliance contains the following sections:
- Executive Summary – including identification of the application audited
- Introduction – Test methods, documentation and introduction to the test report
- Background – Nomenclature and summary of procedures and any deviations from documented test methods.
- System Identification – Detailed identification of system including all dependencies and detailed description of the test environment and test systems
- Review and Test Results – Summary of results, exceptions and exclusions from testing (if any)
- Opinions and Recommendations – generally contains the affirmation that all requirements of the regulations are met. Table of high level requirements that were tested and passed.
- Appendix A – Security Assessment Results – detailed line item regulations tested and result
- Appendix B – As Run Test Cases
- Appendix C – Configuration Management Identification of Certified Application