• Search by category

  • Show all

Minimum Viable QMS for First-in-Human Trials

March 5, 2026

I have worked with enough emerging biotech companies to know that the phrase “we’ll formalise quality management before Phase 2” has often been spoken with confidence and good intentions. It is also always wrong.

The inflection point between completing non-clinical studies and moving into first-in-human trials is not simply a scientific transition. It is an operational and ethical shift. You are no longer generating exploratory data; you are placing an investigational product into healthy volunteers or participants under regulatory oversight. At that moment, your Quality Management System (QMS) ceases to be an administrative aspiration and becomes a safeguard for participants, data integrity, and corporate survival.

The Core SOP Categories You Cannot Avoid

In my experience, companies approaching first-in-human studies require, at minimum, a defined set of core SOP categories:

  • Document Control

    Without document control, nothing else stands. You need procedures governing the creation, review, approval, versioning, distribution, and archival of controlled documents. This is not bureaucratic housekeeping. It ensures that your clinical team, Contract Research Organisation, and service providers are operating in compliance with the correct protocol versions, processes and approved templates.

  • Training and Qualification

    An SOP on training must define how roles are assigned, how competency is assessed, and how training is documented. ICH E6(R3) explicitly requires sponsors to ensure that individuals involved in trials are qualified by education, training, and experience [1]. In a five- or ten-person biotech, it is common for roles to overlap. That is acceptable, but undocumented evidence of competence is not.

  • Change Control

    First-in-human programs are dynamic. Manufacturing processes evolve. Protocol amendments are common. Service provider scopes shift. A formal change control process ensures that changes are assessed for impact on safety, data integrity, regulatory submissions, and supply. Without it, you accumulate undocumented drift, which regulators may rightly interpret as a loss of control.

  • Deviation and Nonconformance Management

    You must have a mechanism to identify, document, investigate, and resolve deviations, whether from protocols, SOPs, or service provider agreements. The purpose is not to create paperwork but to demonstrate transparency and systematic handling of issues. In regulated environments, unrecorded deviations are viewed more severely than recorded and well-managed ones.

  • Corrective and Preventive Action (CAPA)

    Linked to deviation management is a CAPA process that distinguishes between symptom and root cause. Overly elaborate CAPA systems are common in large pharmaceutical organisations; early-stage companies need a streamlined approach focused on meaningful root-cause analysis and clearly documented follow-through.

  • Service Provider Qualification and Oversight

    Most startups outsource clinical operations, data management, pharmacovigilance, and manufacturing. Under ICH guidance, outsourcing does not transfer Sponsor responsibility [1,2]. A service provider qualification SOP must describe due diligence, selection criteria, contractual quality agreements, oversight mechanisms, and performance review. I have seen early-phase programs jeopardised because oversight was assumed rather than actively embedded.

  • Clinical Oversight

    Even when a CRO runs your trials, the Sponsor must retain documented oversight. This includes review of monitoring reports, safety data, protocol deviations, and key performance metrics. Formal documented oversight meetings are an essential way of demonstrating oversight of all aspects of a clinical trial. A clinical oversight SOP defines how and how often these meetings and reviews occur, who is responsible, and how findings are interpreted and escalated.

  • Data Integrity and Records Management

    Regulators globally emphasise data integrity. Data must follow ALCOA++ principles (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available, Traceable) [3]. Early-stage biotech companies sometimes assume their CRO’s systems suffice. You still need internal governance over data review, access controls, and archival.

  • Risk Management

    Risk management and risk proportionality is at the heart of ICH GCP E6 (R3) guidelines. A simple but structured risk management SOP aligned with ICH Q9 principles [4] allows you to identify critical-to-quality factors and prioritise oversight where it matters most. For lean organisations, this is a survival tool: it tells you where not to spend time.

Why These SOPs Matter

At the regulatory level, these systems demonstrate control. At the operational level, they reduce rework, prevent confusion, and create clarity of responsibility. At the reputational level, they protect credibility with investors and partners. At the ethical level, they protect trial participants.

I have seen two contrasting scenarios. In one company, a poorly documented service provider change resulted in inconsistent safety reporting timelines. The issue was discovered during due diligence for a financing round, not during an inspection. The reputational damage outweighed the technical deficiency. In another, a small biotech with a disciplined but lean ‘off-the-shelf’ QMS was able to respond to regulator queries within days because documents, training records, and oversight logs were organised and current. That efficiency translated directly into investor confidence.

The Difference Between Documents and a Lived System

Your QMS should never be viewed as a document repository. It is behaviour reinforced by governance. If your deviation log is empty 6 months into a complex first-in-human trial, that is not evidence of perfection; it is evidence of underreporting. If training records are completed retrospectively the week before an audit, the system exists on paper only and will not be looked at forgivingly by the auditor.

A lived system shows signs of use: completed logs, meeting minutes, version histories, CAPAs with documented follow-up, management review records. Regulators and due diligence teams look for evidence of implementation, not policy elegance. A poorly implemented QMS will devalue your asset (eventually); something every biotech needs to take seriously.

Quality Culture in Small Organisations

In small organisations, quality culture might be expected to be amplified. There are fewer layers, fewer hand-offs, and far less room for ambiguity. However, there is the drive to stage agile, lean and flexible. This doesn’t always have a positive effect. In the end, the behaviours that leadership tolerates, or unintentionally reinforces, become the system.

A common early-stage failure is treating deviations as personal failures rather than system signals. When staff perceive that raising an issue will result in blame, additional workload, or reputational damage, issues go unreported. The absence of deviations on paper is then misinterpreted as system robustness, when in reality it reflects cultural suppression.

A functional quality culture in a startup has several observable characteristics:

  • Deviations and issues are raised early and without defensiveness.
  • Documentation is completed as part of the work, not retrospectively ‘for quality’.
  • Quality discussions focus on impact and learning, not fault allocation.
  • Senior leaders participate visibly in governance reviews.

Culture cannot be written into an SOP, but it is shaped by how SOPs are used. If change controls are routinely bypassed, training is backfilled, or CAPAs are closed without evidence, the message is clear: quality is optional. Conversely, when leadership asks informed questions, reviews logs, and accepts that early development involves imperfection, quality becomes embedded rather than enforced.

In small teams, quality is not a department. It is a collective discipline.

The Supporting Infrastructure

Beyond SOPs, a minimum viable QMS requires:

  • A concise Quality Manual describing scope, responsibilities, and governance structure.
  • Controlled templates (e.g., deviation report forms, change control forms, training matrices).
  • Logs (deviation, CAPA, change control, training).
  • Defined quality agreements with key service providers.
  • Management review meetings with documented outputs.
  • A dedicated individual to manage and stay on top of the administrative requirements

None of this requires expensive electronic systems to deliver and manage at the outset. Well-controlled cloud-based platforms with defined access controls can suffice, provided governance is clear.

Staying Lean Without Being Exposed

One mistake startups can make is overbuilding too early, importing a big pharma SOP library will overwhelm a ten-person team. Complexity is not synonymous with compliance.

A risk-based approach should guide scope. If you have no in-house laboratory, you do not need a detailed laboratory SOP suite. If manufacturing is outsourced, your emphasis should be on service provider oversight and quality agreements rather than internal batch record procedures.

Build in phases. Phase 1: establish foundational governance (document control, training, deviations, service provider oversight). Phase 2: as clinical activity expands, formalise internal audit programs and performance metrics. Phase 3: as you approach Phase 2/3, introduce more robust quality planning and internal audits.

Engagement is critical. In lean organisations, quality cannot sit in a silo. Assign clear process owners. Keep forms simple. Reading is not training. Ensure that raising a deviation is not culturally penalised. Administrative burden should be proportional to risk.

What ‘Good Enough’ Looks Like at First-in-Human

One of the most persistent misconceptions in early development is that quality systems must be either minimal to the point of fragility or fully ‘big pharma’ in scale. Neither is appropriate at first-in-human (FIH) stage.

‘Good enough’ at FIH means that critical processes are defined, implemented, and evidenced. It does not mean that every conceivable scenario has a bespoke SOP. Regulators and inspectors do not expect maturity equivalent to late-phase organisations, but they do expect control where it matters most.

At FIH, good enough typically includes:

  • Compliance with Good Practice (e.g., Good Clinical Practice [GCP]) and applicable regulations.
  • Clear Sponsor oversight of the clinical trial, even when execution is outsourced [2].
  • Documented risk assessment identifying critical-to-quality factors.
  • Active management of documents, service providers, changes, deviations, and safety-relevant issues.
  • Demonstratable training and role clarity for individuals performing trial-related tasks.
  • Traceable data handling and record retention practices.
  • Demonstrates a commitment to continuous improvement

What is not acceptable at FIH (or any stage of clinical trials) is reliance on informal knowledge, undocumented decisions, or assumptions that CRO systems substitute for Sponsor responsibility [1]. The test is simple: can the organisation explain, with evidence, how it knows its trial is being conducted safely, compliantly, and as intended?

Proportionality remains key. A startup running a single FIH study does not need an internal audit department or a complex metrics dashboard. It does need a system that shows awareness of risk, ownership of decisions, and the ability to respond coherently when things do not go to plan.

Good enough is not about doing the minimum. It is about doing the right things, at the right level of depth, at the right time.

Remaining Inspection-Ready

Inspection readiness is not a frantic pre-inspection exercise; it is the by-product of disciplined routine. Maintain up-to-date logs. Conduct periodic internal reviews. Perform at least one mock inspection or structured gap analysis before initiating human trials. Regulatory agencies expect Sponsors to demonstrate ongoing oversight and quality management, not reactive scrambling [2].

Designing for Scalability

Design your QMS architecture so that new SOPs can be added logically under defined process categories. Use consistent numbering and versioning conventions. Avoid embedding role names that will change; define responsibilities by function. Choose systems that can migrate from simple shared drives to validated electronic QMS platforms as you grow. The goal is not to freeze your organisation in a minimalist state but to create a framework that evolves without requiring reinvention.

Hard-Won Lessons

Quality failures in early-stage biotech rarely stem from ignorance of regulations. They arise from optimism bias, the belief that small teams and good intentions substitute for structure. They do not. Conversely, I have seen lean companies with fewer than 15 employees operate with impressive discipline because leadership framed quality as a strategic asset and not as an additional regulatory overhead.

The Investor and Partner Due Diligence Lens

Quality systems are rarely built for investors, but they are frequently judged by them. For early-stage biotech companies, quality maturity is one of the fastest ways external parties assess whether the organisation can deliver what it promises.

During financing rounds, licensing discussions, or strategic partnerships, due diligence teams often focus on a narrow set of quality signals rather than exhaustive compliance. They ask practical questions:

  • Can the Sponsor demonstrate oversight of outsourced activities?
  • Are roles, responsibilities, and decision-making authority clearly defined?
  • Is there evidence that issues are identified, documented, and resolved systematically?
  • Do training records and governance logs exist contemporaneously, or were they created retrospectively?

A functional QMS performs well under this scrutiny. When documents are controlled, logs are current, and oversight meetings are recorded, diligence exercises move quickly. When quality artefacts are scattered, incomplete, or inconsistently applied, confidence erodes—often regardless of how promising the science may be.

Importantly, quality gaps uncovered during due diligence do not remain technical observations. They frequently translate into conditional requirements, valuation reductions, delayed closings, or additional post-investment oversight. In contrast, a minimum viable QMS that is clearly implemented and in active use signals operational maturity and reduces perceived execution risk. In that sense, quality is not just a regulatory requirement; it is a commercial asset.

A Strategic Imperative

As you transition into first-in-human trials, your QMS becomes a visible signal of maturity. Investors interpret it as operational control. Regulators interpret it as sponsor accountability. Participants depend on it for protection. Treat quality not as a cost centre but as a strategic enabler; one that prevents delays, protects data reliability, and enhances valuation. Build the minimum viable QMS deliberately, implement it authentically, and expand it intelligently as your pipeline progresses.

Conclusion

In practice, a well-designed minimum viable QMS is a strategic enabler, not just an exercise in paperwork management. When implemented early and authentically in our BioStack™ environment, it accelerates development by preventing rework and delays, and it builds confidence: regulators see accountability, and investors see operational control. Crucially, a functional QMS system protects trial participants and data integrity, regulatory frameworks explicitly expect quality management to ensure patient protection and data reliability at all stages. We can get you there: info@niche.org.uk.

In summary, startups should view their QMS as an investment in efficiency and credibility. A lean but active QMS from day one (with clear governance, trained staff, and documented processes) mitigates risk and sends a signal of maturity. An early QMS delivers structure, credibility, and regulatory confidence that supports fast, compliant growth. By continuously improving this system as the company grows, biotech innovators can avoid costly compliance pitfalls and focus on delivering safe, effective therapies.

References

  1. International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use. ICH E6(R3): Good Clinical Practice. 2025.
  2. US Food and Drug Administration. Guidance for Industry: Oversight of Clinical Investigations — A Risk-Based Approach to Monitoring. 2013.
  3. European Medicines Agency. Guideline on computerised systems and electronic data in clinical trials. 2023
  4. International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use. ICH Q9(R1): Quality Risk Management. 2023.

About the author

Ben Stevenson
Quality and Training Officer
View profile
Dr Ben Stevenson is a Quality Management professional who manages quality and training at Niche Science & Technology Ltd. Before joining Niche in 2021, Ben was a PhD and postdoctoral researcher working on the mechanical properties of cells with a focus on Muscular Dystrophy. Ben joined the Niche team as a Medical Writer and took on the role of Quality Representative for the MW department. Ben became a full-time member of the Quality team in 2023. Ben has worked with a number of early-stage biotech and pharmaceutical companies to help develop and manage their budding quality systems.

Social Shares

Subscribe for updates

* indicates required

Related Articles

Get our latest news and publications

Sign up to our news letter

© 2025 Niche.org.uk     All rights reserved

HomePrivacy policy Corporate Social Responsibility