18th European Symposium on Computer Aided Process Engineering – ESCAPE 18 Bertrand Braunschweig and Xavier Joulia (Editors) © 2008 Elsevier B.V./Ltd. All rights reserved. A Compliance Management System for the Pharmaceutical Industry Julie Fishera, Arantza Aldeaa, René Bañares-Alcántarab a School of Technology, Oxford Brookes University, OX33 1HX Oxford, UK Department of Engineering Science, University of Oxford,OX1 3PJ, UK b Abstract The management of compliance with rules, policies, guidelines, practices, and standards is largely done through a manual and labour-intensive process. This process can be facilitated through the use of a computer-based Compliance Management System (CMS). A CMS identifies compliance tasks, tracks the performance of these tasks with respect to a set of requirements and documents their compliance status. The output from a CMS can be used to satisfy a variety of reporting requirements and initiate alerting mechanisms. A CMS can be particularly useful in managing regulation change and overlap. This paper presents the first step in the development of a decision and compliance management tool, in particular, a prototype CMS for the pharmaceutical industry is described. The CMS has been tested with a simulated case study. Keywords: Compliance Management, Regulation, Information System, Pharmaceutical Industry. 1. Introduction The regulatory authorities are empowered to issue and enforce regulations for the manufacture of pharmaceutical products with the aim to strike a balance between the therapeutic advantages of a drug and its possible risks to the patients. The regulatory authorities approve the sale of only those drugs produced with manufacturing processes that comply with the regulations. As a result, individual pharmaceutical companies produce a set of internal guidelines, rules, and policies to implement the regulation imposed by the regulatory authorities. The development and maintenance of these internal guidelines, rules and policies is an arduous and tedious process that requires substantial human resources. To begin with, the regulations must be interpreted to make them applicable to a specific manufacturing process. However, quite often regulations are vague, subjective and ambiguous, and thus with the potential to produce inconsistencies. A second complication is that there are national and international regulations, and products and processes must comply with all regulations of the places where they are produced and sold. Lastly, regulations change in time and companies must update their procedures accordingly. The process of interpretation finishes when all the regulations have been translated into a set of tasks to be performed with a given frequency and by individuals with specific roles. A Compliance Management System can be used to keep track of these tasks. A CMS identifies compliance tasks, tracks the performance of these tasks and documents their compliance status; the output can be used to satisfy a variety of reporting requirements and initiate alerting mechanisms. 2 J. Fisher et al. This paper describes the initial approach in the development of a CMS for the pharmaceutical industry. The case study is built around rules regulating pharmaceutical production; however, the purpose of this research is more general: to create a domain independent CMS that operates for different regulations retrieved from a library. The principles of this research are applicable to any other regulated activity such as trading, construction, and industrial SHE (Safety, Health and Environmental) compliance. The CMS under development consists of a MySQL database that stores the information related to the compliance tasks and a JAVA front end that displays the data and interacts with the different users. XML (eXtensible Markup Language) will be used in the future so the CMS can communicate with other applications. Specifically, XML will be used to store the tasks to be read by the CMS and the reports it generates. The generic features of a Compliance Management System are described in the next section. Section 3 focuses on the pharmaceutical industry and how a CMS can help to cope with the regulations imposed in this domain. The implementation of our CMS for the pharmaceutical industry is described in Section 4 and the preliminary results with a test case are presented. The future steps in our research are discussed in Section 5. 2. Compliance Management Systems A Compliance Management System (CMS) should be able to identify compliance tasks, track their performance and document their compliance status; its output being amenable to be used to satisfy a variety of reporting requirements [Boland 06]. Science based industries are increasingly using CMSs because competitive and regulatory pressures push them to consider the role that automation can play in converting data to useful knowledge [Conley 00]. The number of regulations with which companies have to conform nowadays is so vast that automating their compliance is a natural progression. There are three main components in a basic CMS: a library of applicable requirements, another library of tasks created to meet those requirements, and a set of means to administer status reporting and record keeping. Tasks can be defined in terms of a vocabulary of actions (e.g. monitor, collect, perform, review, document, verify) applied to objects (e.g. materials, equipments, reports) at a required frequency (e.g. once, daily, weekly) done by an individual with a role (e.g. technician, process engineer, plant manager). Compliance with a regulation can be assessed in terms of “checkpoints” [Yip et al. 06]. Other types of information are goals/intentions and criteria, which are necessary to evaluate task compliance [Boland 06]. Additional CMS features are e-mail notification, escalation and recurring tasks. An e-mail notification system sends e-mails to the employees due to carry out the tasks prior to the due date, whereas an escalation system sends additional warning e-mails to the employee’s supervisors when a task is either overdue or has failed. [Conley 00] looked at automating regulatory compliance, focusing on the NuGenesis Scientific Data Management System, when the acceptance of electronic record keeping was relatively new to the Food and Drug Administration (FDA). NuGenesis does not appear to store information about regulations and their associated data, and so does not have the functionality to notify when these regulations are due to be carried out. [Yip et al. 06] presented XISSF, an XML-based compliance audit system that enforces rules A Compliance Management System for the Pharmaceutical Industry and information security policies. However, many of the functions associated to a CMS, such as describing a regulation in terms of tasks and roles, are not included. [Boland 06] investigated how CMSs aid business and compared the features of some commercial available CMSs in the market. The common features of all those systems are e-mail notification and escalation. Many of the commercial CMSs do not appear to be business specific; however there are some expressly aimed at the pharmaceutical industry. For example EtQ for Pharmaceuticals/Biotechnology (see www.etq.com), which is an integrated FDA CMS. This system includes several modules, allowing to tailor its application to a company’s needs, e.g. for archiving, escalation/delegation and monitoring. The EtQ system is aimed for companies that want to put their products in the American market. 3. A CMS for the Pharmaceutical Industry An important concern in the pharmaceutical industry is the large volume of regulations and their constant update. The regulations need to be analysed and validated to create a set of task, rules and procedures. 3.1. Regulations in the Pharmaceutical Industry All licensed medication put onto the market has to comply with a regulatory body to ensure it is effective and safe. It is essential for any company that all the criteria imposed by the regulatory body are met, as a rejection of the application can be very costly. However, regulation does not end after the approval of the manufacturing process; there is a continuous monitoring of the medication during its market lifetime. The most important regulatory bodies for the UK are MHRA (Medicines and Healthcare products Regulatory Agency) at the UK level, EMEA (European Agency for the Evaluation of Medicinal Products) at the EU level, and FDA (Food and Drug Administration) for the American market. Each regulatory body provides a number of principles and guidelines such as GMP (Good Manufacturing Practice) and GLP (Good Laboratory Practice). These are written at an abstract level and their aim is to provide guidance to the company. To aid in the management of the large volume of guidelines there are books that collate all the relevant information, e.g. Rules and Guidance for Pharmaceutical Manufacturers and Distributors 2007 [Pharma Press 02], commonly referred to as the “orange guide”. The orange guide is produced in association with MHRA and has all the guidance required for a company wanting to sell their products in the UK or EU. There are also books that aid in the compliance with the FDA guidelines, e.g. Pharmaceutical Master Validation Plan [Haider 01] and Validation Standard Operating Procedures [Haider 06]. The first book describes how a pharmaceutical company can put together a compressive plan to achieve the validation requirements, while the second looks into every aspect of validation for each of the guidelines. Our aim is to create a tool that facilitates the validation process and hence the translation of the regulations imposed by the regulatory bodies into a specific set of tasks. The CMS is used to manage the tasks and the people involved in them. This paper focuses on the first part of a prototype. 3 4 J. Fisher et al. 3.2. Requirements for a CMS The CMS must be able to track the performance of compliance tasks and document their status; notification of pending tasks and an escalation process to flag overdue tasks are also required. To make the system more robust a regulation should be associated with a role rather than a specific employee. The quantity of data that a CMS is required to manage is large and must be preserved accurately, ensuring that only those with the appropriate permission access it. Easy and quick access to data is also desirable. Lastly, the system must be able to create accounts for users with different levels of access and functionality. No prior knowledge of the underlying software technologies should be expected of the users, who will interact with the CMS using a Graphical User Interface (GUI). This GUI needs to be simple and convenient for the user. 4. Implementation and Initial Results The CMS has been developed in JAVA and all the information about tasks, regulations and personnel was stored in a MySQL database. A JAVA GUI was also developed to facilitate the introduction of all the information and the communication with each one of the operators. More details about the system can be found in [Fisher 07]. Once the company has identified the set of task required to comply with the regulations, those tasks and regulations must be introduced in the CMS. At the moment the tasks are introduced manually through the CMS GUI (see Figure 1). In the near future we are planning to introduce a connection between the output of a validation process tool based on an organisational memory system (OMS) and the CMS. When a regulation is entered, the type of personnel that will be in charge of the regulation must be identified as well as the domain. After a regulation is successfully introduced into the database, the CMS asks the user to input the associated tasks and displays the ADD TASK panel (see Figure 1). By declaring tasks consecutively the user can ensure that prerequisite tasks are entered previously. If there are concurrent users adding regulations and associated tasks at the same time, the system is able to cope by storing the IDs of the regulation or task that has just been created to be used in the creation of subsequent tasks. Figure 1. Windows used to enter regulations and their associated tasks. A Compliance Management System for the Pharmaceutical Industry Figure 2a. Customised “To Do” list for an employee. supervisor when tasks are overdue. 2b. Warning sent to the Tasks can be assigned to employees by the manager, and the employees will have then access to a window that lists all the tasks that need to be completed as shown in Figure 2. The CMS keeps track of all the tasks and their assigned employees and will make sure that all the tasks are completed on time by highlighting the pending tasks and sending regular emails to the employees (see Figure 2a). If the employee does not carry out a task, a report is generated and the corresponding line manager will be informed (see Figure 2b). To showcase the CMS some information was created for a small fictitious company, e.g. there are employees in three different roles (administrators, supervisors and analysts). Examples of regulations were taken from Chapter 18 of [Haider 2001] “Qualification of Process Equipment”. Figure 3. Example results written after performing some verification tasks. 5 6 J. Fisher et al. In particular, the regulation in the example applies to a Commuting Mill process, with each of its functions split into tasks. No frequencies for carrying out the tasks are suggested in the guidelines, as they depend on the manufacturer’s manual for the machine; weekly tasks were set for this example. With further knowledge about the machine, such as its calibration system or details about its workings, the tasks could have been made more specific. The interface developed to introduce the results from the tasks is shown in Figure 3. 5. Conclusions and Future Work This paper has presented the initial results in the development of a CMS for the pharmaceutical industry. The CMS has been tested with a case study built around rules regulating pharmaceutical production. The purpose of this research is more general: to create a domain independent CMS as the principles of this research are applicable to any other regulated activity. We are investigating the creation of a support decision making tool based in Compendium [Shum et al. 06]. Given a set of regulations and guidelines, this tool will support a quality assurance expert to parse those regulations (also policies, rules and procedures) into tasks that need to be performed to comply with the regulations. These tasks will then be saved in a XML ontology and incorporated in the CMS system; XML will be the communication language with other applications. Specifically, XML will be used to store the tasks to be read by the CMS and the reports it generates. References Boland, R. 2006. Reduce business risk with a CMS. Chemical Engineering Progress 102 (10), pp. 39-44. Conley, J. 2000. Automating regulatory compliance. Scientific Computing and Instrumentation 17(3), pp. 25-26. Fisher, L. 2007. Development of a Compliance Management System for the Pharmaceutical Industry. MSc dissertation in Computing. Oxford-Brookes University Haider, S. I. 2001. Pharmaceutical Master Validation Plan: The Ultimate Guide to FDA, GMP, and GLP Compliance. Florida: CRC Press LLC, pp. 1-3 and 115-146. Haider, S. I. 2006. Validation standard operating procedures: a step-by-step guide for achieving compliance in the pharmaceutical, medical device, and biotech industries. 2nd ed. Florida: CRC Press LLC, pp.3-18. Pharmaceutical Press. 2007. Rules and Guidance for Pharmaceutical Manufacturers and Distributors. 2007 ed. London: Pharmaceutical Press, pp. xvii-8. Shum, S. J. B., Selvin, A. M., Sierhuis, M., Conklin, J., Haley, C. B. and Nuseibeh, B. 2006. Hypermedia Support for Argumentation-Based Rationale: 15 Years on from gIBIS and QOC. In: Dutoit, A.H., McCall, R., Mistrik, I. and Paech, B. (eds.) Rationale Management in Software Engineering. Berlin: Springer, pp. 111-132. Yip, F., Ray, P. and Paramesh, N. 2006. Enforcing Business Rules and Information Security Policies through Compliance Audits; XISSF - A Compliance Specification Mechanism. In: The First IEEE/IFIP International Workshop on Business-Driven IT Management (BDIM 2006)- Information Technology Management from a Business Perspective. pp. 81-90