18th European Symposium on Computer Aided Process Engineering – ESCAPE 18
Bertrand Braunschweig and Xavier Joulia (Editors)
© 2008 Elsevier B.V./Ltd. All rights reserved.
A Compliance Management System for the
Pharmaceutical Industry
Julie Fishera, Arantza Aldeaa, René Bañares-Alcántarab
a
School of Technology, Oxford Brookes University, OX33 1HX Oxford, UK
Department of Engineering Science, University of Oxford,OX1 3PJ, UK
b
Abstract
The management of compliance with rules, policies, guidelines, practices, and standards
is largely done through a manual and labour-intensive process. This process can be
facilitated through the use of a computer-based Compliance Management System
(CMS). A CMS identifies compliance tasks, tracks the performance of these tasks with
respect to a set of requirements and documents their compliance status. The output from
a CMS can be used to satisfy a variety of reporting requirements and initiate alerting
mechanisms. A CMS can be particularly useful in managing regulation change and
overlap. This paper presents the first step in the development of a decision and
compliance management tool, in particular, a prototype CMS for the pharmaceutical
industry is described. The CMS has been tested with a simulated case study.
Keywords: Compliance Management, Regulation, Information System, Pharmaceutical
Industry.
1. Introduction
The regulatory authorities are empowered to issue and enforce regulations for the
manufacture of pharmaceutical products with the aim to strike a balance between the
therapeutic advantages of a drug and its possible risks to the patients. The regulatory
authorities approve the sale of only those drugs produced with manufacturing processes
that comply with the regulations. As a result, individual pharmaceutical companies
produce a set of internal guidelines, rules, and policies to implement the regulation
imposed by the regulatory authorities.
The development and maintenance of these internal guidelines, rules and policies is an
arduous and tedious process that requires substantial human resources. To begin with,
the regulations must be interpreted to make them applicable to a specific manufacturing
process. However, quite often regulations are vague, subjective and ambiguous, and
thus with the potential to produce inconsistencies. A second complication is that there
are national and international regulations, and products and processes must comply with
all regulations of the places where they are produced and sold. Lastly, regulations
change in time and companies must update their procedures accordingly.
The process of interpretation finishes when all the regulations have been translated into
a set of tasks to be performed with a given frequency and by individuals with specific
roles. A Compliance Management System can be used to keep track of these tasks. A
CMS identifies compliance tasks, tracks the performance of these tasks and documents
their compliance status; the output can be used to satisfy a variety of reporting
requirements and initiate alerting mechanisms.
2
J. Fisher et al.
This paper describes the initial approach in the development of a CMS for the
pharmaceutical industry. The case study is built around rules regulating pharmaceutical
production; however, the purpose of this research is more general: to create a domain
independent CMS that operates for different regulations retrieved from a library. The
principles of this research are applicable to any other regulated activity such as trading,
construction, and industrial SHE (Safety, Health and Environmental) compliance.
The CMS under development consists of a MySQL database that stores the information
related to the compliance tasks and a JAVA front end that displays the data and interacts
with the different users. XML (eXtensible Markup Language) will be used in the future
so the CMS can communicate with other applications. Specifically, XML will be used
to store the tasks to be read by the CMS and the reports it generates.
The generic features of a Compliance Management System are described in the next
section. Section 3 focuses on the pharmaceutical industry and how a CMS can help to
cope with the regulations imposed in this domain. The implementation of our CMS for
the pharmaceutical industry is described in Section 4 and the preliminary results with a
test case are presented. The future steps in our research are discussed in Section 5.
2. Compliance Management Systems
A Compliance Management System (CMS) should be able to identify compliance tasks,
track their performance and document their compliance status; its output being
amenable to be used to satisfy a variety of reporting requirements [Boland 06]. Science
based industries are increasingly using CMSs because competitive and regulatory
pressures push them to consider the role that automation can play in converting data to
useful knowledge [Conley 00]. The number of regulations with which companies have
to conform nowadays is so vast that automating their compliance is a natural
progression.
There are three main components in a basic CMS: a library of applicable requirements,
another library of tasks created to meet those requirements, and a set of means to
administer status reporting and record keeping. Tasks can be defined in terms of a
vocabulary of actions (e.g. monitor, collect, perform, review, document, verify) applied
to objects (e.g. materials, equipments, reports) at a required frequency (e.g. once, daily,
weekly) done by an individual with a role (e.g. technician, process engineer, plant
manager). Compliance with a regulation can be assessed in terms of “checkpoints” [Yip
et al. 06]. Other types of information are goals/intentions and criteria, which are
necessary to evaluate task compliance [Boland 06]. Additional CMS features are e-mail
notification, escalation and recurring tasks. An e-mail notification system sends e-mails
to the employees due to carry out the tasks prior to the due date, whereas an escalation
system sends additional warning e-mails to the employee’s supervisors when a task is
either overdue or has failed.
[Conley 00] looked at automating regulatory compliance, focusing on the NuGenesis
Scientific Data Management System, when the acceptance of electronic record keeping
was relatively new to the Food and Drug Administration (FDA). NuGenesis does not
appear to store information about regulations and their associated data, and so does not
have the functionality to notify when these regulations are due to be carried out. [Yip et
al. 06] presented XISSF, an XML-based compliance audit system that enforces rules
A Compliance Management System for the Pharmaceutical Industry
and information security policies. However, many of the functions associated to a CMS,
such as describing a regulation in terms of tasks and roles, are not included.
[Boland 06] investigated how CMSs aid business and compared the features of some
commercial available CMSs in the market. The common features of all those systems
are e-mail notification and escalation.
Many of the commercial CMSs do not appear to be business specific; however there are
some expressly aimed at the pharmaceutical industry. For example EtQ for
Pharmaceuticals/Biotechnology (see www.etq.com), which is an integrated FDA CMS.
This system includes several modules, allowing to tailor its application to a company’s
needs, e.g. for archiving, escalation/delegation and monitoring. The EtQ system is
aimed for companies that want to put their products in the American market.
3. A CMS for the Pharmaceutical Industry
An important concern in the pharmaceutical industry is the large volume of regulations
and their constant update. The regulations need to be analysed and validated to create a
set of task, rules and procedures.
3.1. Regulations in the Pharmaceutical Industry
All licensed medication put onto the market has to comply with a regulatory body to
ensure it is effective and safe. It is essential for any company that all the criteria
imposed by the regulatory body are met, as a rejection of the application can be very
costly. However, regulation does not end after the approval of the manufacturing
process; there is a continuous monitoring of the medication during its market lifetime.
The most important regulatory bodies for the UK are MHRA (Medicines and Healthcare
products Regulatory Agency) at the UK level, EMEA (European Agency for the
Evaluation of Medicinal Products) at the EU level, and FDA (Food and Drug
Administration) for the American market.
Each regulatory body provides a number of principles and guidelines such as GMP
(Good Manufacturing Practice) and GLP (Good Laboratory Practice). These are written
at an abstract level and their aim is to provide guidance to the company. To aid in the
management of the large volume of guidelines there are books that collate all the
relevant information, e.g. Rules and Guidance for Pharmaceutical Manufacturers and
Distributors 2007 [Pharma Press 02], commonly referred to as the “orange guide”. The
orange guide is produced in association with MHRA and has all the guidance required
for a company wanting to sell their products in the UK or EU. There are also books that
aid in the compliance with the FDA guidelines, e.g. Pharmaceutical Master Validation
Plan [Haider 01] and Validation Standard Operating Procedures [Haider 06]. The first
book describes how a pharmaceutical company can put together a compressive plan to
achieve the validation requirements, while the second looks into every aspect of
validation for each of the guidelines.
Our aim is to create a tool that facilitates the validation process and hence the
translation of the regulations imposed by the regulatory bodies into a specific set of
tasks. The CMS is used to manage the tasks and the people involved in them. This paper
focuses on the first part of a prototype.
3
4
J. Fisher et al.
3.2. Requirements for a CMS
The CMS must be able to track the performance of compliance tasks and document their
status; notification of pending tasks and an escalation process to flag overdue tasks are
also required. To make the system more robust a regulation should be associated with a
role rather than a specific employee.
The quantity of data that a CMS is required to manage is large and must be preserved
accurately, ensuring that only those with the appropriate permission access it. Easy and
quick access to data is also desirable.
Lastly, the system must be able to create accounts for users with different levels of
access and functionality. No prior knowledge of the underlying software technologies
should be expected of the users, who will interact with the CMS using a Graphical User
Interface (GUI). This GUI needs to be simple and convenient for the user.
4. Implementation and Initial Results
The CMS has been developed in JAVA and all the information about tasks, regulations
and personnel was stored in a MySQL database. A JAVA GUI was also developed to
facilitate the introduction of all the information and the communication with each one of
the operators. More details about the system can be found in [Fisher 07].
Once the company has identified the set of task required to comply with the regulations,
those tasks and regulations must be introduced in the CMS. At the moment the tasks
are introduced manually through the CMS GUI (see Figure 1). In the near future we are
planning to introduce a connection between the output of a validation process tool based
on an organisational memory system (OMS) and the CMS. When a regulation is
entered, the type of personnel that will be in charge of the regulation must be identified
as well as the domain. After a regulation is successfully introduced into the database,
the CMS asks the user to input the associated tasks and displays the ADD TASK panel
(see Figure 1). By declaring tasks consecutively the user can ensure that prerequisite
tasks are entered previously. If there are concurrent users adding regulations and
associated tasks at the same time, the system is able to cope by storing the IDs of the
regulation or task that has just been created to be used in the creation of subsequent
tasks.
Figure 1. Windows used to enter regulations and their associated tasks.
A Compliance Management System for the Pharmaceutical Industry
Figure 2a. Customised “To Do” list for an employee.
supervisor when tasks are overdue.
2b. Warning sent to the
Tasks can be assigned to employees by the manager, and the employees will have then
access to a window that lists all the
tasks that need to be completed as
shown in Figure 2. The CMS keeps
track of all the tasks and their
assigned employees and will make
sure that all the tasks are
completed on time by highlighting
the pending tasks and sending
regular emails to the employees
(see Figure 2a). If the employee
does not carry out a task, a report is
generated and the corresponding
line manager will be informed (see
Figure 2b).
To showcase the CMS some
information was created for a small
fictitious company, e.g. there are
employees in three different roles
(administrators, supervisors and
analysts). Examples of regulations
were taken from Chapter 18 of
[Haider 2001] “Qualification of
Process Equipment”.
Figure 3. Example results written after performing
some verification tasks.
5
6
J. Fisher et al.
In particular, the regulation in the example applies to a Commuting Mill process, with
each of its functions split into tasks. No frequencies for carrying out the tasks are
suggested in the guidelines, as they depend on the manufacturer’s manual for the
machine; weekly tasks were set for this example. With further knowledge about the
machine, such as its calibration system or details about its workings, the tasks could
have been made more specific. The interface developed to introduce the results from
the tasks is shown in Figure 3.
5. Conclusions and Future Work
This paper has presented the initial results in the development of a CMS for the
pharmaceutical industry. The CMS has been tested with a case study built around rules
regulating pharmaceutical production. The purpose of this research is more general: to
create a domain independent CMS as the principles of this research are applicable to
any other regulated activity.
We are investigating the creation of a support decision making tool based in
Compendium [Shum et al. 06]. Given a set of regulations and guidelines, this tool will
support a quality assurance expert to parse those regulations (also policies, rules and
procedures) into tasks that need to be performed to comply with the regulations. These
tasks will then be saved in a XML ontology and incorporated in the CMS system; XML
will be the communication language with other applications. Specifically, XML will be
used to store the tasks to be read by the CMS and the reports it generates.
References
Boland, R. 2006. Reduce business risk with a CMS. Chemical Engineering Progress 102 (10), pp.
39-44.
Conley, J. 2000. Automating regulatory compliance. Scientific Computing and Instrumentation
17(3), pp. 25-26.
Fisher, L. 2007. Development of a Compliance Management System for the Pharmaceutical
Industry. MSc dissertation in Computing. Oxford-Brookes University
Haider, S. I. 2001. Pharmaceutical Master Validation Plan: The Ultimate Guide to FDA, GMP,
and GLP Compliance. Florida: CRC Press LLC, pp. 1-3 and 115-146.
Haider, S. I. 2006. Validation standard operating procedures: a step-by-step guide for achieving
compliance in the pharmaceutical, medical device, and biotech industries. 2nd ed. Florida:
CRC Press LLC, pp.3-18.
Pharmaceutical Press. 2007. Rules and Guidance for Pharmaceutical Manufacturers and
Distributors. 2007 ed. London: Pharmaceutical Press, pp. xvii-8.
Shum, S. J. B., Selvin, A. M., Sierhuis, M., Conklin, J., Haley, C. B. and Nuseibeh, B. 2006.
Hypermedia Support for Argumentation-Based Rationale: 15 Years on from gIBIS and QOC.
In: Dutoit, A.H., McCall, R., Mistrik, I. and Paech, B. (eds.) Rationale Management in
Software Engineering. Berlin: Springer, pp. 111-132.
Yip, F., Ray, P. and Paramesh, N. 2006. Enforcing Business Rules and Information Security
Policies through Compliance Audits; XISSF - A Compliance Specification Mechanism. In:
The First IEEE/IFIP International Workshop on Business-Driven IT Management (BDIM
2006)- Information Technology Management from a Business Perspective. pp. 81-90