The pharmaceutical industry could not function without its regulated documents, such as policies, standard operating procedures (SOP) and working practices. There are pressures on this infra-structure; regulations are becoming more complex and diverse, M&A activity is a constant complicating function, and the addition of more complex products to the portfolio in new markets all add corresponding regulatory demands on the business. This makes the required control documents more difficult to develop and maintain, and this in turn exposes companies to a higher likelihood of future compliance failure.
Alongside this heightened risk from complexity there is unprecedented political pressure on regulatory agencies, with an expectation that the industry will continue to improve the quality of its compliance with individual markets.
With these challenges in mind, the control document environment can help ensure compliance without costing disproportionate amounts of money. There are two critical components:
- instituting a document architecture model that clearly defines the roles of different document types and the content they contain, and
- establishing simple rules that can be followed by authors of the control documents.
Too often the writing of the control documents is a background task carried out by multiple individuals with differences in understanding and experience around the material. This means that the way in which these documents are written needs to be clear and unambiguous so that the various unconnected authors have a common point of reference.
Writing the Control Documents
Once the architecture is clearly defined, it is important that the documents themselves should be easy to use and lead to compliance. The guidance can be summarized thus: Compliance is achieved through simplicity and clarity, not complexity or extensive detail. We have captured this with 10 rules to guide the creation and management of these controlling documents:
- Aim for simplicity and clarity, avoiding complexity and the drive to cover all eventualities. Organizations must seek opportunities to reduce complexity, as this results in fewer errors and enhances the likelihood that people will comply. When organizations try to cover every possible situation, the documentation becomes so complex it becomes practically impossible to remain compliant with it.
- Be outcome oriented. Building on the first rule, it is important to define the outcome required, not the input expected. When organizations define the input, or activity, then the process can be adhered to without meeting the regulatory obligations set by the regulator. When the outcome is defined, then tasks are all critical to the end result, and compliance is not achieved unless the outcome is correct.
- Don’t aim for perfection; use a risk-based model. The goal is to develop a good system that is fit for purpose without a lot of complexity. Inevitably there will be circumstances that are not covered by the documents; do not expect every possible eventuality to be addressed. High frequency risks must be covered but low frequency, high-impact risks are better managed by people reacting to the crisis rather than trying to mandate behavior a priori for every possible event. Good controlled document architecture requires a risk-based approach.
- Make processes role based, not job title based. While organizational restructuring happens frequently, organizations must build processes around roles, which expedites redevelopment or integration of documents. This also allows for the organization to align with local requirements without needing to rewrite SOPs. For a role-based model to be successful, individuals need to have their roles recorded in the learning management system, and these roles need to be maintained as responsibilities change.
- Ensure different document types have clear guidelines for the different content required. It has to be clear whether a specific document mandates process or simply provides guidance; the selected document type must also reflect this intent. For example, policy documents set the ambition, a quality management system (QMS) lays out the scope, SOPs define how the scope is to be met and work instructions and other documents cover specific needs without covering all eventualities.
- Do not let regulatory documents take the place of job descriptions and operational training; they are there to create regulatory compliance. We often find that many of the tasks laid out in SOPs are there to help people do their jobs; they do not address regulatory needs. This means that any situation that is not completely aligned with the operational climate at the time the SOP was written runs the risk of causing unnecessary compliance failure.
- Manage all regulated documents in the same repository. Having multiple systems — or, worse, no system at all — makes it difficult to view the entire portfolio. If documents are in different locations then employees often have difficulty knowing where to look for the definitive version of documents. It becomes difficult to quickly assess the impact of a change and there is a significant risk of personally held (and therefore uncontrolled) versions being used to execute critical processes.
- Manage local variations locally. Local organizations are accountable for ensuring that they meet the obligations put on them by the global organization and by their local regulator. When there is a conflict between these two, then the local entity wins; if there is no conflict then global takes precedence. Organizations should therefore allow local variations to be managed locally rather than globally — trying to incorporate local requirements into higher level documents often leads to increased complexity.
- Ensure vital training is proportionate to the level of involvement. If a role is central to the execution of a process, then organizations need to make sure that the right people have received training. If, however, a role is involved only occasionally in the process, or influences only a small section of it, then the training for that role needs to be appropriate for the level of involvement. This requires on-demand training and training courses that target sub-components of the process. Training everyone on everything is neither popular nor effective.
- Make sure that creating and deploying new documentation and processes is not a "one and done" activity. Organizations must enable the business to support continuous improvement and monitoring of the document portfolio. They must also establish robust governance processes and infrastructure to provide effective oversight of the portfolio and enable rigorous monitoring to identify areas of weakness and opportunities in the portfolio.
Craig Wylie is a member of PA Consulting Management Group.