Part 1: Managing regulatory compliance
Regulatory challenges
1. Increasing compliance pressure
Any business must comply with local and global laws and regulations. But the pharma and life sciences industry is perhaps amongst the most highly regulated. And with good reason: the quality and safety of any medical product or service can impact patient lives.
Regulatory compliance has, in fact, become so important that it is practically a prerequisite for doing business. Non-compliance can have serious legal and financial consequences. Nonetheless, adapting policies, processes and procedures to comply with regulatory requirements turns out to be a major challenge for a lot of pharma companies.
Examples of regulatory requirements
Regulatory compliance defines practices and standards that a company needs to follow. Organizations on different levels can determine compliance standards: local governments, global institutions (such as WHO) and industry-specific certification organizations. For pharma and life sciences companies, these are some examples of regulatory standards.
FDA Code of Federal Regulations (CFR) Title 21
The FDA CFR Title 21 regulates all food and drugs manufactured and consumed in the United States. Part 11 specifically outlines rules and regulations for electronic records and signatures used within the company.
Good Clinical, Laboratory, and Manufacturing Practices (GxP)
GxP is an umbrella term for several practices, where the ‘x’ is replaced by each specific domain. It contains, among others, clinical (GCP), manufacturing (GMP), distribution (GDP) and laboratory (GLP).
Quality Management System (ISO norms)
A Quality Management System (QMS) is a set of procedures and practices that contribute to product quality. The ISO is an international body involved in developing standards in various industries, including pharmaceutical & life sciences. The current standard for Quality Management System (QMS) is ISO 9001:2015 - previously ISO 9001:2005 and ISO 13485:2016. Although the ISO-certification is not mandatory in Europe, having a QMS is.
General Data Protection (GDPR)
Like all companies collecting or processing data from EU residents, data protection standards need to be applied according to the GDPR standard.
Software Lifecycle Processes (IEC norms)
This standard covers the safe design and maintenance of all software that is used within the company.
Conformité Européenne (CE)
If your company produces and/or trades products (such as medical devices) in the European Economic Area (EEA), CE is the general marking to assure that any product meets the General Safety and Performance Requirements (GSPR). CE marking is a part of the EU’s harmonisation legislation, which is mainly managed by Directorate-General for Internal market, Industry, Entrepreneurship and SMEs.
IT security Management (ISO/IEC 2700)
Certification for ISO/IEC 27001 is not mandatory. There is no legal requirement to have an Information Security Management System (ISMS), but companies do have to ensure that their software is free of malicious code.
2. Balancing resources and compliance requirements
For starters, mitigating compliance risks requires major resources. For small- and medium-sized companies in the pharma & life sciences industry, compliance is often a delicate balancing act between allocating the right amount of resources and improving processes while simultaneously achieving business goals.
At Sterima, a Belgian-based company providing sterilization products and services, the quality control team expanded from 1 to 4 FTE’s in just a few years.
It’s clear there is a huge gap between the basic regulatory requirements and the costs for SME’s, confirms Henrik Walther Madsen, Director at Epista Life Science. “In effect, regulatory compliance becomes a risk assessment. The risk of not being compliant versus the company’s cost for doing so. This risk assessment is important, because it helps you determine your priorities when navigating the complexity of regulatory compliance.”
3. Compliance in a changing world
In the fast evolving life sciences industry, changes usually mean compliance upgrades. On top of that, the regulatory environment is always in motion. As the number and complexity of regulations constantly increases, it’s getting harder for life sciences companies to keep up the pace.
Moreover, transitioning this highly regulated business into the digital world adds a new level to the compliance challenge. Companies are under extreme pressure to increase transparency and to rethink their processes for better and more efficient compliance.
Cedric Soubry: “It’s not just the regulatory requirements that keep evolving. Audits from the governing bodies are also becoming more elaborate and efficient, and clients expect us to be fully compliant as well. Simply put, more collaboration and compliance is expected throughout the entire supply chain.”
The gold standard: always compliant
From a siloed approach …
Compliance in pharma & life sciences is not limited to the quality control of the final product. Its impact stretches over multiple levels: products (e.g. quality control), processes (e.g. Computer System Validation or CSV) and people (skills, certifications). All areas of business are directly involved with regulatory compliance, from R&D and HR to IT and manufacturing.
As a result, specific skills and expertise are required to assure compliance in each of these areas. This complexity invokes many companies to create an abundance of manual processes and paper trails that are prone to costly errors. Such a siloed approach to compliance is time-consuming, inefficient and inflexible.
Klavs Esbjerg, CEO of Epista: “How pharma companies can become more efficient? Just look at your own internal processes and procedures. I bet there is a lot of documentation. Ask yourself: why are you doing this? So many companies overcomplicate things. There is a lot of efficiency to be gained on that front.”
… to enterprise-level compliance
Instead of managing regulatory compliance within each individual team, companies should strive for a comprehensive enterprise-level view of regulatory risks. Compliance as a strategic business goal can even turn this challenge into a differentiator and create additional business value.
This of course means the business should be prepared to drastically adopt its way of working towards regulatory requirements. Manual and specific processes should be replaced by a unified and centralized process, aiming to build compliance into every aspect of business.
Adapting the process: back to standard
When it comes to process-level compliance, one key aspect is CSV – Computer System Validation. CSV or software validation confirms that a computer-based system conforms to user needs and intended use in a consistent and accurate manner that is secure, reliable and traceable.
Any change made to the software requires a new validation. Naturally, companies have a tendency to avoid upgrades. This in turn leads to outdated systems. And once they are no longer capable of meeting the business requirements, replacing them with a validated system becomes an enormous undertaking.
Organizational changes
When the process is adapted to the standard, this often implies the business needs to change accordingly. In other words, organizational change management is crucial to implement these changes successfully.
Flanders-based Inovet produces veterinary medicine and animal health products. They are currently transitioning from two legacy ERP systems to a cloud-based validated system.
Lara Moons, Strategy and Digitalization Manager at Inovet: “A validated system is a must, and staying as close to the system as possible is key. Each deviation from the standard was heavily challenged and needed the approval of a formal Change Advisory Board. This required support and flexibility from the business to change their way of working.”
Continuous compliance in the cloud
Computer System Validation (CSV) applies to any kind of business software, like an MES, LIMS etc. An essential part of the IT infrastructure relating to compliance is of course your ERP: the heart of all your operations. The transition from on-prem ERP systems to cloud-based solutions is reshaping the landscape of system validation. With on-prem systems, validation usually only took place every few years, since it required an enormous amount of resources. This meant that the system remained validated during operations.
Cloud solutions offer frequent but smaller upgrades. This agile approach ensures that the systems stays on par with evolving business needs. Of course, this also makes it harder to maintain a validated state. But with the right methodology, continuous validation is possible.
In the quickly growing pharma & life sciences industry, companies need to be able to support quick growth – whether organic or through acquisitions – with scalable processes and systems, collaboration throughout the supply chain and an efficient time to market. Read all about it in the next part of this series: Growth and scalability.
Both the rapidly evolving industry and the quick growth within a company require flexible solutions. So how to tackle all these challenges, and even turn them into opportunities? Find out in part 3 of this series: Digitalization and innovation.
Curious to find out more about our validated Microsoft Dynamics 365 for Pharma solution?
Get in touch and let’s talk!