STEVEN R. CAGLE
Conquering Compliance Management
Achieving Enterprise Quality and Compliance means Utilizing a Centralized Software Platform
It's no secret that FDA regulated industries are motivated to find better ways to comply with ever-increasing government regulations and formative industry standards. GMP requirements, 21 CFR Part 11, Sarbanes-Oxley, HACCP and other regulations have made compliance- and risk-management a key concern for any regulated organization.
Many companies have already been cited for their failure to achieve compliance As a result, in addition to encountering expensive product recalls, negative publicity and loss of market capitalization, they have faced regulatory scrutiny, manufacturing facility shut downs, product approval delays and considerable fines.
Managing GxP compliance-related events and actions including deviations, audits, observations, change controls, complaints, corrective and preventive actions and other regulatory processes, requires both formal procedures and effective processes to ensure closure. In addition to quality initiatives, companies need to manage environmental issues and actions, employee health and safety incidents and investigations, Sarbanes-Oxley risk areas, clinical trial compliance issues and other regulatory accountabilities. Managing all of these processes, compounded with the additional corporate responsibility of compliance with internal policies and procedures related to privacy, human resources, tariffs and others, results in what appears to be an almost insurmountable challenge.
Challenges to Overcome
Control of these processes is essential, as even a single misstep can lead to fines, law suits and expensive contract remediation.
The common denominator among all of these compliance processes is the need to manage and track related events and actions from start to completion. Documenting, tracking and trending processes that carry such a high risk cannot be accomplished using paper-based systems, or disconnected and rudimentary electronic solutions. Regulatory agencies, including the FDA, have set forth objectives to aggressively and continually modernize regulation procedures for their respective industries, as noted in the agency's Second Progress Report and Implementation Plan (September 2003), and expect companies to do the same by utilizing robust systems with powerful functionality including data validation, process automation, integrated reporting and elaborate security.
These requirements have plagued pharmaceutical and device manufacturers for many years, and now food and chemical API manufacturers have joined the ranks of those challenged with finding and implementing software solutions to which they can trust their most risk-sensitive data. Last November, the FDA modernized food GMPs, and the Environmental Protection Agency, which strictly regulates all manufacturing industries, continues its ever-increasing focus on risk-based compliance monitoring for environmental and public safety through its Statutory Compliance Monitoring programs.
Now more than ever, manufacturers in all of these industries are proactively searching for solutions to manage regulatory compliance. Three main challenges present themselves: 1) Finding robust and flexible systems which can support both compliance and business needs; 2) integrating the plethora of compliance related processes at hand; and 3) implementing these systems in an expeditious and cost effective manner.
Even more daunting than addressing known compliance needs is the looming threat of additional compliance requirements in the years to come.
The answer lies in what is termed an "enterprise compliance management platform."
It is important to appreciate that an enterprise compliance management platform is not a myriad of separate software programs organized as silos of information. Traditionally, companies have been responding to compliance needs by implementing separate point solutions or individual software modules. While various tools exist for different compliance needs, a strategic platform provides an organization the ability to address and integrate any possible compliance process as part of its inherent architecture.
Many of the larger pharmaceutical companies have already realized that there are numerous advantages to standardizing the management of compliance issues onto a common software platform. A standardized platform provides the necessary ability to integrate data, workflow and reporting without costly customization and validation effort. Further, by implementing one system rather than many, organizations can significantly reduce the cost of licenses, hardware, validation, training and maintenance.
A director of quality from one medical device manufacturer cited that prior to implementing a global compliance management system it had 12 disconnected systems just for managing deviations, investigations, complaints and change controls. The company implemented an off-the-shelf software system as its platform for managing all compliance related issues. In addition to providing the much needed integration between the various applications, the company saved $5.6 million and is recognizing an on going return on investment of $300,000 per year.
A vice president of information services from another organization made a point to stress how much time his users were saving because of the natural integration flow of using the same software system. By utilizing a single software platform the organization cut cycle time by weeks just by having all information at hand. Further, by eliminating redundant data kept in multiple sources, the company avoided the risk of having different versions of the same information in two places, an issue for which it previously received an FDA 483.
Many professionals that have already taken the enterprise compliance platform route will advise careful consideratopm when choosing which system will best serve its vast and evolving needs. It is easy to become overwhelmed with one or two areas of pain. Implementing an enterprise quality and compliance platform requires that an organization looks at the bigger picture. The system must have certain attributes and qualities to meet long term needs and to scale to global proportions.
Where to Begin
A good place to start is by looking at what things the system needs to do from a functionality point of view. While data, process and user intervention differ depending on the types of events and actions, the requirements for systems to track and manage them from the same from a high level. So what are the things that an enterprise quality and compliance management system must do?
To start, it must facilitate data capture for all conceivable record types, as many as required, in a structured format. It must have the ability to organize them according to pertinent qualifiers, and automate completion of work through a business process defined by your own organization. The process must follow the procedures of the organization and departments that use the software. All data and signatures should be captured electronically, and without paper, thereby replacing the need to have "documents" circulating for signature and review.
Automatic notification capabilities are also important. Notification facilitates efficient inter-departmental communications, enabling staff members to be informed of all meaningful events on a timely basis and in a consistent manner. A system that notifies users of critical events, achievement of mile stones or when work is required, will help to shorten cycle times.
An effective enterprise compliance system will prevent issues from slipping behind schedule by automatically escalating action items that are not following expected timelines. "Escalation" may be notifying someone, re-assigning work or creating an action item to document the deviation from the process.
Essentially, the product must be "configurable." A configurable system, by its definition, enables an organization to meet its specific business requirements without requiring code changes and without necessitating complex scripting or programming.
SOP enforcement is also important as it takes the human element out of the equation. For instance, by automatically calculating due dates the system can ensure they are set correctly based on issue classification or risk level. Additional benefit can be derived from the automatic scheduling of tasks and work assignments to appropriate individuals. All of these "business rules" should be determined based on validated, predetermined conditions.
Finally the system must ensure that employees involved in the business process are able to find information quickly, and therefore the system should provide a reliable and easy-to-use mechanism for searching the database and retrieving required data. All information should be accessible on demand, and without delay. Further, it is crucial that the system is able to provide this information in meaningful report formats, provide statistical analysis, trending views, and the "big picture" of where the organization stands with its quality related processes.
Don't Forget Scalability
Functionality is only the beginning when defining the qualities needed to implement an enterprise compliance platform. There are higher level fundamentals and without these, a system will not be scalable enough to support the organization at a global level.
For instance, the software should be Web-based as this allows users around the globe to connect to a centralized database without the need to install software on local PCs. A Web-based software system can be deployed more quickly than client server applications, and is more cost effective to maintain as there is no need to perform future client upgrades.
Another imperative characteristic is that the software is highly configurable to meet all business processes in one single system without needing to purchase, install, and validate numerous "modules." A highly modular system allows an organization to determine and configure its own "modules" (record types) according to the processes they need to manage. It should not be the other way around.
Representatives from numerous pharmaceutical and device companies have pointed out time and again that flexibility is the key aspect of an enterprise compliance platform. The ability for the company to adapt the product to follow all processes including the ones that you don't know about yet will save time and money in implementation, validation and ongoing maintenance as needs change. Essentially, the product must be "configurable." A configurable system, by its definition, enables an organization to meet its specific business requirements without requiring code changes and without necessitating complex scripting or programming. The extent of flexibility is also important. Many tools have some level of configurability, but it begs the question how much, and is this enough to support enterprise needs?
The food industry can benefit substantially from the pharmaceutical industry's experience with implementing these types of solutions. While of course the two industries are different, there are many parallels with regard to management of quality and compliance related events.
Long term solutions are required to be scalable, and use a robust database management system that can handle the largest potential number of users. The solution should lend itself to high availability through use of standard load balancing software and be able to support a large number of simultaneous users across the company from various departments and business units. If the system will be used in multiple locations in different time zones, it must also support Universal Time Code (UTC), and have a facility to be translated into additional languages. It is advisable to evaluate how many companies are using the system in a similar fashion and at what scale. Solutions that are proven to be globally scalable pose far less risk than those that have yet to be proven to work at global proportions. Enterprise quality and compliance management systems should also support integration to other systems that are related to the processes you are managing. These typically include Laboratory Information Management (LIMS), Electronic Document Management (EDMS), Manufacturing Execution (MES) and Enterprise Resource Planning (ERP) systems.
The system must be accepted in the industry as 21 CFR Part 11 compliant. Since the regulation in its present form can be interpreted in numerous ways, (for example, the number of days required for password expiration,) the system must be configurable to allow the company to set the parameters in accordance with its own policies and procedures.
In addition to finding a great system, find a great partner. The vendor should have a well-established customer base in the regulated industries, with validated production installations similar in scope and size to your organization. If your organization is in an industry that is just now implementing systems like this, look to other industries that have faced similar challenges. For example, the food industry can benefit substantially from the pharmaceutical industry's experience with implementing these types of solutions. While of course the two industries are different, there are many parallels with regard to management of quality and compliance related events.
As we continue our journey through the third millennium, compliance management will continue to be in the fore-front of our minds and amongst our highest priorities. As with all challenges come opportunities to change our outlook and approach to managing our business. Technology, as we know from the past, is never far behind these new opportunities. Implementing a strategic platform as a standardized tool to manage compliance related events and actions can help an organization efficiently manage its portfolio of compliance issues in an extremely efficient manner. Once having this mind set, and implementing a tool that is capable of making this vision a reality, a company will be well equipped to manage its compliance needs now as well as in the future. �
1 Statutory Programs Compliance Monitoring. U.S. Environmental Protection Agency.Steven R. Cagle is vice president of marketing and product development for Sparta Systems Inc. (Holmdel, N.J). Reach him at 888-261-5948 o