Skip to content

Contact Us    Now Hiring

@meritweb on TwitterMerit Solutions on LinkedInMerit Solutions YouTube Video SeriesMerit Solutions on FacebookSubscribe to Merit Matters Blog

   

Are You Still Doing What You Say You Are Doing?

A very common audit observation is not following procedures. 23% of quality related warning letters issued by the FDA in 2013 were for document controls. The lion’s share of these issues involved the use of documents that do not follow the process. An auditor may notice a gap while reviewing document controls, reviewing executed records, during direct observation of your process or through questioning of operators. They may also probe multiple operators to establish consistency.

Some managers may have a false sense of confidence in thinking that “We’re O.K. We have a procedure for that.” Yes you can certainly be cited for having no procedure at all. But you have to look at the adequacy of the procedures to the purpose and scope. The CFR requirements are specific. Documents should be clear and easy to follow. Changes have to be documented, reviewed and approved. Communication of a change and evidence of training must be documented.

Continue reading "Are You Still Doing What You Say You Are Doing?"

What Is Compliance?

Compliance can be defined as observance, conformity, and obedience. In business, compliance generally designates the requirement to adhere to certain rules or laws, meet certain standards, and follow certain practices. Compliance standards can originate from external, as well as internal sources. A compliance requirement may be mandatory or optional and they can encompass virtually all aspects of the business environment – from financial and trade to regulatory and environmental. Customers and collaboration partners can also drive compliance adoption. Compliance becomes an important factor in a company’s ability to compete effectively as customers and collaboration partners increasingly require companies to follow certain practices or meet their specific standards. From tax reporting forms to how you place a label on a box for a customer, compliance requirements help drive the ways in which businesses operate.

Understanding the origin of compliance requirements enables appropriate prioritization and risk management. Compliance requirements that your organization must adhere to may be based on your ownership structure, management practices, location(s), and the market(s) in which you wish to participate, as well as your specific industry, customer, vendor, and bank affiliations.

External Drivers
External compliance requirements – whether they are driven by industry organizations, regulatory agencies, banks, trading partners, vendors, or customers – are top of mind among organizations today. Governments generate many regulations directed at businesses, too, and these regulations often provide the business community with the greatest challenges with regard to compliance. Many government regulations, such as the Sarbanes-Oxley Act, 21 CFR Part 11 and the Food Safety Modernization Act, target specific industries and businesses while some apply to all businesses. Government compliance regulations reach across the entire spectrum of business operation activities – from tax collection and reporting, to verification of manufacturing quality and material tracing capabilities, to corporate governance.

Internal Drivers
Managing internal compliance requirements is becoming even more important for organizations. The need to develop and maintain internal controls and corporate content policies and rules such as deciding what documents to save and what to delete, data and document access rights, email attachment rules and management best practices – to name just a few – is driving compliance adoption across organizations.

A complete understanding of the sources of compliance for your organization can help you plan ahead and adopt and retire compliance requirements as those requirements and your organization evolve. The next focus for compliance management then becomes: “How do I adopt a new, strict structure of compliance requirements and keep current compliance actions intact while enhancing my organization’s profitability, and its abilities to innovate, adapt, and optimize?”

Information Technology plays a key role in helping companies manage an effective compliance program and enforce compliance requirements internally and externally. Technology enables the collection, analysis and control of enterprise-wide data, delivering the crucial information needed for intelligent business decisions. Ideally, this means establishing a viable compliance program and having compliance requirements integrated into business management systems like Microsoft Dynamics AX - enabling companies to transform compliance requirements into business benefits and a competitive advantage!

Taking Another Look At Automated vs. Manual Compliance

Time to take another look at automating FDA compliance?

“Gosh”, you say, “need we or any pharmaceutical manufacturer look any further than the mountains of forms we fill out hourly in order to get an order out the door?”

YES, it’s time to take another look at compliance because the FDA’s swelling ranks give you new reason to do so. This means even more FDA inspectors fully schooled in regulations of 21 CFR Part 11 that pharmaceutical firms must live or die by. In our post 9/11 reality, you would be in your rights to suspect that these ranks will swell even more in years to come because, like it or not, public security demands that this be so. However, the BIGGER reason why you should revisit this now is that there are a growing number of systems out there that will allow FDA compliance for fast-growing firms, and finding right-sized solutions can be THE KEY to profitability.

FDA regulations do not require you to automate your business systems, and you will never find an FDA regulator who will tell you to do so. But if you make a frank comparison of man vs. machine, you can see why any FDA regulator worth their pay breathes a sigh of relief when they monitor pharmaceutical manufacturers that use widely recognized and standardized integrated business systems known to be adapted for FDA 21 CFR Part 11 compliance. Pharmaceutical manufacturers that use such integrated business systems can be expected to be a long way down the road of compliance. An otherwise comparable pharmaceutical manufacturer that uses entirely manual processes and handwritten records is quite a bit more suspect.

Unlike you or me, an automated system will do a programmed task exactly the same way every time. Humans have moods; machines do not. Humans are subject to sleep deprivation, attention lapses, bad attitudes and bad days. Good ‘ol automated systems just plug away the same way each and every time. While a very human production supervisor working in the context of a paper-based system might forget to consult the proper logs of quarantined materials, a properly programmed computer will never make that mistake and never prompt an operator to skip required steps for quality control and authorized signatures. No system that involves human action is bullet-proof, but automated systems can reduce risks of sloppy practices considerably. On the other hand, machines might fail miserably at finding creative solutions to new situations, and to the extent that compliance hinges on skills to handle exceptional situations, human hands and minds come to play a part.

It’s the FDA’s job to keep an eye on how much of a risk your business poses to the public. In turn, it’s your job (along with all members of your company’s executive team) to determine the limits of regulatory risk your company can handle. Regulatory risk is the risk of being found out of compliance. The financial risk of non-compliance includes costs of additional inspections, lost production time, unsellable product, recalls, plant shut downs, company fines, jail time for executives, and/or public relations fiascoes that put you out of business.

On the other side of the equation are the costs for compliance. In a totally manual system those costs usually involve added head count, along with all the salary and benefits such staffing requires. Automated systems not only have upfront costs for software (and sometimes hardware) but also for training, and validation of the systems. Sometimes automated systems themselves bring on added costs for IT expertise, and ongoing costs to ensure that the systems are updated and in synch with evolving Standard Operating Procedures.

Because information systems can lower people costs but generate their own costs, there has to be a balance to create the right level of automation at an appropriate cost. The type of products that your company manufactures and the processes that it takes to do so have a right-sized mix of manual and automated systems that will rely on computers for repetitive operations and humans for handling exceptions. Moreover, the size of your company is one of the best indicators of the degree of automated compliance that will pay off for your firm.

The largest pharmaceutical manufacturers that have numerous plants spanning several continents and many product lines, are the only types of companies likely to benefit from full (or nearly 100%) automation for compliance. Such large companies need centralized control and standard procedures to leverage their size advantage and lower the overall compliance costs (and risk!) on a per plant basis.

The smallest start-up pharmaceutical manufacturers that still have one foot in the research lab from which they spawned, are right to have sticker shock when they consider the integrated business systems the behemoth-sized pharmaceutical firms employ. But where many of these companies get into trouble is in not re-visiting the equation as their company grows.

First of all, integrated business systems vary widely in cost, with the ones geared for the largest companies in need of near total automation cost as much as 5 times what a comparable system geared for a mid-sized company would need. Secondly, the costs of compliance and costs of non-compliance are only a fraction of value created by integrated business systems. Within or without the pharmaceutical industry integrated business systems pay for themselves by helping cut the costs of production and doing business, e.g. by speeding product cycle time, cutting inventory costs, and more. Third, the disorganization potential of paper-based business systems is far more dangerous to a rapidly growing company. If you feel that you are already awash in paper, you may well be one of those companies that is so consumed in managing paper trails that you cease to see how crippled your operation is. And finally, a host of 3rd parties that can be critical to a mid-sized pharmaceutical firm’s continued success - from FDA inspectors, to Venture Capital sources, to banking institutions, etc.-will look positively on pharmaceutical firms with business systems on par with their scientific expertise.

Can Automated Compliance AND Efficient Business Process Coexist?

The harsh reality for every Life Sciences company - companies that manufacture drugs, medical devices, or other products with the potential of causing physical harm to humans - is that they must operate in control and according to numerous compliance regulations, including FDA 21 CFR Part 11. But within this constant, every company makes decisions about how to build their processes (tasks and resources applied to activities to produce an outcome) and what strategies to operate with in relationship to these regulations.

The idea we discuss with Life Sciences companies today is growing with muscle, not fat. Specifically, we help companies understand that the many compliance processes that they currently perform with manual methods are very costly relative to growth.

The biggest cost of manual processes is – yes – people. When you grow, you have increased volumes going through your business processes, and variations in those processes based on different types of customers, orders, products, suppliers, etc. Many times it is not a linear relationship, but exponential in terms of the people you have to add relative to the business growth. Sometimes, it cannot be covered just by adding people.

However, the more important costs of manual processes are time and visibility. Manual processes store data in a disconnected and difficult-to-access manner. If data related to these manual processes is required for decision making, there is often a time delay in getting the data into a consistent, usable format. And because it is costly to gather the data, many companies decide to operate without it, which leads to decisions that are less optimal and often time delayed. Of course, on top of all this is the issue of errors related to gathering and entering the data in to a usable format.

The bottom line is that manual processes add stress, costs, and risk to an organization, and is one of the main drivers for looking at automated compliance approaches.

Automated compliance is what the market rewards. Ultimately, the supply chain that you are in or will be in will quickly learn of the companies that are able to produce efficiently and with high control and compliance. Many companies that we speak with come to us because they have been given a choice to make about this. Buyers are now demanding that suppliers have an automated approach to compliance because the buyer understands what it means to them.

Traditionally, we talk to a lot of companies that think about efficient business processes and compliance processes as operating in an inverse direction. In other words, if you increase your level of regulatory compliance, you will reduce the efficiency of your business processes, and vice versa. We have found, however, that there are huge gains to approaching both within the same automated manner; thereby increasing the efficiency and flexibility of their business processes at the same time.

Companies can get the best of both worlds - that is, more efficient processes with automated compliance controls - by moving to a unified central business system that has enterprise compliance capabilities built-in already. These systems can help Life Sciences companies:

  • Eliminate manual efforts and paperwork, reducing errors and saving time and human tasks
  • Audit, capture and store information according to 21 CFR Part 11
  • Automatically enforce controls according to SOPs
  • Cost effectively and rapidly deploy business systems in a validated manner
  • Enforce controls, but with the flexibility to adapt and grow with your changing business over time
At Merit Solutions, we have taken this philosophy and built the model of our company around it. This model includes service methods, pre-built intellectual property, and software components that are built within the Microsoft Dynamics ERP software – all to help Life Sciences companies realize the benefits of reduced risk, increased operational efficiency, and the continued building of a foundation on which to grow.

Lots More Than Lot Tracking! - What FDA 21 CFR Part 11 Is and Is NOT

Since we're up in Toronto this week attending Microsoft's Worldwide Partner Conference, we thought we'd repost an article from our archives. This article was originally written by Merit Solutions' President Bill Burke, and was published by Pharmaceutical Processing in March of 2004. It's an oldie (but goodie) - Enjoy!

"Think that because you have strong controls for lot tracking and traceability you are fully compliant with FDA CFR 21 Part 11?

Think again! The truth is, lot tracking is more tangential to what FDA CFR Part 11 is all about, and far from being the pith of the matter. Yes, you must address lot tracking to be FDA-compliant, because lot tracking with integrity is an essential part of FDA-mandated GMPs (Good Manufacturing Practices). But lot tracking and other ingredients of product accountability are NOT what FDA CFR Part 11 is about. Rather, Part 11 addresses the closely related but separate matter of your data accountability.

"Data accountability--- huh????" you ask. "What's that?" Okay, let's consider the nightmare scenario that someone over at the FDA is probably already thinking about for another industry, and how 21 CFR Part 11 would look for them. Imagine a day when incidences of so-called mad cow disease become widely prevalent such that tight controls along the lines of FDA CFR 21 Part 11 are seen as necessary.

If that horrid day arrives and you, the farmer, unwittingly think that FDA CFR 21 Part 11 is just about lot tracking, you would dutifully put tracking numbers on every cow (just as they do in Canada) and mistakenly feel comfortable that your operation is fully compliant with FDA CFR 21 Part 11. This would be a very important step-i.e. numbering all cows in the herd. However, data accountability would mean that you not only can trace herd numbers, but also you have a complete historic record of where each animal ate, what it ate, where this food came from, when the animal ate it, who fed the cow, what the cow weighed before and after it was fed, where it slept, any exposures to cows in other lots, etc. You, the farmer, would not only need to keep this data, but you would probably need the equivalent of a dual password on a computer screen to get access to cows in a particular pen, and certainly would need such password protection before you were able to gain access to move cows out of a pen. Each and every time you or any and every farmhand did something with the cow, you would need to record it or track it, such that there is a complete data record of every cow's lifetime for every cow in the herd.

If you think that sounds potentially complicated, you couldn't be more right. And that is probably one reason why the FDA has NOT run to demand FDA CFR 21 Part 11 compliance to minimize the already miniscule incidence of Bovine Spongiform Encephalopathy. However, the FDA DOES demand that this type of life cycle data be recorded in great detail for pharmaceuticals. In fact, if you haven't invested in electronic systems that are known to be fully compliant with FDA CFR 21 Part 11, you might need to spend as much as $500,000 to write custom tracking automation software that brings you in reach of compliance on top of whatever pretty penny you have already spent to put in non-FDA compliant systems. Luckily, there are workable systems that are fully-FDA CFR 21 Part 11 compliant that do not come with that kind of price tag, especially if you are a mid-sized firm.

What FDA CFR 21 Part 11 is about, is the reliability and auditability of your electronic systems en toto. Even before the post-9/11 consciousness of how terrorists might try to wreak havoc, the FDA's regulations had the wherewithal to demand that data integrity be airtight. Let's take a look at some of the specific requirements and what this means for you and every pharmaceutical manufacturer.

Section 11.10 c, for instance, mandates "Protection of records to enable their accurate and ready retrieval throughout the records retention period." That means that your business systems need to capture all transactions, including updates and changes, and archive them in an accessible database that can be viewed, printed, exported and/or downloaded throughout the records retention period. "Ready retrieval" doesn't mean you can let your IT staff come up with some sort of procedure if and when the FDA requests data-it means you need to have this information accessible in keystrokes right away if and when it is required AND that this data is not changeable by happenstance.

Section 11.30 c, for example, stipulates that "loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls." This means that your manufacturing systems need to automatically disable a user account in the event of password loss or theft to protect data security.

Thus, in these as with all other details, FDA CFR 21 Part 11 is about data accountability. You either have it or you don't.

Sad to say, far too many pharmaceutical manufacturers seem to not only not be FDA CFR 21 Part 11 compliant, but to fail to even grasp what having it would require. Consider the firm that invests in ERP systems widely used in other industries, without considering if FDA compliance has been either built-in to the system or available as add-ons. And consider the potential that those with malevolent intent have to ravage the integrity of data essential to the profitable operations of your business. However carefully you consider this problem, know that the FDA already has, and the sum of their concerns is called FDA CFR 21 Part 11."

Learn more about MAXLife, Merit Solutions' pharmaceutical software for 21 CFR Part 11 compliance.