10 simple rules for creating an effective portfolio of regulated documents
Compliance is achieved through simplicity and clarity, not complexity or extensive detail
The pharmaceutical industry could not function without its regulated documents, such as policies, standard operating procedures (SOP) and working practices. As regulations become more complex and diverse, so do the corresponding demands on the business to ensure compliance. Unfortunately, this can make the required regulated documents more difficult to develop and maintain, and therefore exposes the company to a higher likelihood of future compliance failure.
Drawing on PA Consulting Group’s regulatory expertise and experience of working with pharmaceutical and other regulated companies, we know that compliance is achieved through simplicity and clarity, not complexity. PA suggests 10 basic rules for creating and deploying simple but effective regulated documents:
- Aim for simplicity and clarity - avoiding complexity and the drive to cover all eventualities. Organisations must seek opportunities to reduce complexity as this will enhance the likelihood that people will comply, and results in fewer errors. When organisations try to cover every possible situation the documentation becomes so complex it becomes practically impossible to remain compliant with it.
- Be outcome oriented - building on the first rule, it is important to define the outcome required, not the input expected. When organisations define the input, or activity, then the process can be adhered to without meeting the regulatory obligations set by the regulator. When the outcome is defined then the tasks become those that are required to meet the outcome, and compliance is not achieved unless the outcome is right.
- Don’t aim for perfection; use a risk-based model - the goal is to develop a good system that is fit for purpose without a lot of complexity. Inevitably there will be circumstances that are not catered for within the documents; do not expect every possible eventuality to be covered. High frequency risks must be covered but low frequency high-impact risks are better managed by people reacting to the crisis rather than trying to mandate behaviour a priori for every possible event. Good controlled document architecture requires a risk based approach.
- Make processes role based, not job title based - while organisational restructuring happens frequently, organisations must build processes around roles, which will expedite redevelopment or integration of documents. This also allows for the organisation to align to local requirements without needing to rewrite SOPs. For a role-based model to be successful, individuals need to have their roles recorded in the learning management system and these roles need to be maintained as responsibilities change.
- Ensure different document types have clear guidelines for the different content required - It has to be clear whether a specific document mandates process or simply provides guidance; the selected document type must also reflect this intent. For example, policy documents set the ambition, a quality management system (QMS) lays out the scope, SOPs define how the scope is to be met and work instructions and other documents cover specific needs without covering all eventualities.
- Remember that regulatory documents should not take the place of job descriptions and operational training - they are there to create regulatory compliance. We often find that many of the tasks laid out in SOPs are there to help people do their job; they do not address regulatory need. This means that any situation that is not completely aligned with the way things were operationally when the SOP was written run the risk of causing unnecessary compliance failure.
- Manage all regulated documents in the same repository - having multiple systems or, worse, no system at all, makes it difficult to view the entire portfolio. If documents are in different locations then employees run the risk of not knowing where to look for the definitive version of documents. It becomes difficult to quickly assess the impact of a change and there is a significant risk of personally held (and therefore uncontrolled) versions being used to execute critical processes.
- Manage local variations locally - local organisations are accountable for ensuring that they meet the obligations put on them by the global organisation and by their local regulator. When there is a conflict between these two then the local wins, if there is no conflict then global takes precedence. Trying to incorporate local requirements into higher level documents often leads to increased complexity. Organisations should allow local variations to be managed locally rather than globally.
- Ensure vital training is proportionate to the level of involvement - if a role is central to the execution of a process then organisations need to make sure that the right people have received training. If, however a role is involved only occasionally in the process, or influences only a small section of it, then the training for that role needs to be appropriate for the level of involvement. This requires on-demand training and training courses that target sub-components of the process. Training everyone on everything is neither popular nor effective.