Build a Cyber Security Ecosystem to Reduce Risk in the Public Sector
Digital Innovation Energizes Global Compliance Management
Leveraging Compliance to Your Advantage
Data Analytics: Driving Actionable Business Improvement
A Day in the Future - Tomorrow's Tasks and Reality of a GRC Officer
Patrick Henz, Head of Governance and Compliance, Primetals Technologies
Thank you for Subscribing to CIO Applications Weekly Brief
Balancing Compliance and Operational Efficiency
By Andy Newsom, CIO, CSL Behring
For years, the primary focus of regulators has been core pharmaceutical manufacturing processes, and not IT systems. However, in recent years the FDA established specific regulations such as CFR 21 Part 11 that apply to and impact electronic systems.
The problem was that the new regulations were vaguely written. Some were loosely interpreted and the FDA struggled with enforcement, while others were strictly applied. This put pharmaceutical IT organizations into something of a tailspin. The FDA decided to make adjustments in the regulations in order to better manage them.
Managing GxP applications has always been a challenge across the industry because of the importance of achieving balance between regulatory compliance and operational efficiency. The primary tool to manage regulatory compliance is the IT Quality Management System (ITQMS). Our ITQMS is the guiding framework made up of a set of policies and procedures to ensure compliance. It is based on ISPE GAMP5, an effective methodology that’s recognized by FDA and otherregulatory agencies. GAMP5 provides IT organizations with a risk based approach to life cycle management of GxP systems.
Pharmaceutical IT organizations are required to develop, maintain and operate GxP systems as well as non-GxP systems. CSL Behring is a biotherapeutics company that researches, develops, manufactures and markets biotherapies that are used to treat medical conditions. King of Prussia, PA based CSL Behring has a market cap of $33.52 Bn.
However, if properly developed, the ITQMS is scalable to accommodate both GxP and non-GxP systems and ensure that requirements for both systems are met. Again, a major struggle IT groups have today is balancing full compliance with regulations while maintaining operational efficiency.
The key is to not tip the scale too far in either direction. From a business risk perspective, the scale should be tipped to the compliance side. The first priority of most IT organizations is to ensure they’re developing, maintaining and operating GxP systems in a compliant state. The two primary considerations are people and process.
ITQMS, if properly developed, is scalable to accommodate both GxP and non-GxP systems and ensure that requirements for both systems are met
The head of IT Quality is responsible for interacting with both IT and the business,keeping up with regulatory changes and addressing process improvements. Regulators want to ensure that pharmaceutical companies do not have an IT Quality organization that functions independent of GxP Quality, but rather, as a component of the company’s Quality structure. For this reason, the IT Quality head should have an organizational connection such as a dotted line into the GxP Quality organization so that the two stay connected.
This is important because when FDA performs an audit they consider the GxP Quality organization responsible for overall compliance, so the two must work well together. FDA audits of a pharmaceutical company’s IT system aren’t uncommon and can lead to an examination of operational, validation,and other supporting documentation.
First and foremost, it is important to have the right people in place. Consider the type of culture that best supports a quality mindset. In the pharmaceutical industry we like to look for people that have a background in pharmaceutical manufacturing. We feel these employees have the right culture already established.
In the past, it was widely accepted that IT skills are highly transferable across industries. For this reason, pharmaceutical companies often hired people who came out of varied industries. However, we learned over time that it’s a bit of a culture shock for those employees who are not used to the level of regulatory scrutiny in our industry, due to the added level of documentation and controls that are required. As an example, many of them weren’t prepared for the rigors of GxP change control.
The evolution of the pharmaceutical business has driven the replacement of manual processes and paper based systems with electronic computer systems. As an example, CSL Behring’s subsidiary, CSL Plasma, automated the majority of their manual systems with an electronic computer system resulting inbetter regulatory compliance along with significant efficiency gains. Regulators may still look at SOPs, but instead of paper forms and other documentation, we direct them to our computer system in which these documents are maintained electronically in a compliant GxP environment.
The fact is—some of the best technical folks are often lousy at documentation. It takes the full package to be the kind of person needed to maintain systems in a pharmaceutical business. At the end of the day, we have systems that can truly impact the efficacy of the products we produce, and that people are putting in their effort. This is why we must hold to such a high standard.
One of the big challenges in IT is finding and retaining good talent. There’s more demand than supply right now. The fact that we need to drill further down in the recruiting process for pharma experience makes it that much more difficult, as the pool of qualified candidates is further reduced.
We continue to evolve and are making good progress as an industry. Regulators are developing a better understanding of electronic systems, and IT leaders are developing a better understanding of the importance of maintaining complaint systems. This is a good thing for the industry and for business. You’re able to leverage the capabilities of an IT organization to make a difference and impact the productivity of the company.