We're definitely seeing more of the mid-market pharmaceutical companies and the medical device companies take a more aggressive
view to government-regulated compliance.... And we see the big pharmaceutical companies take the more aggressive view about
managing the risks of their business partners....
Flam notes that while software vendors should be current with regard to the regulatory landscape, most changes to regulations
affect how companies conduct their business rather than the underlying software they use.
[When the FDAdecides to update or change any of its GMP, GCP, or GLP regulations, such changes will most often impact the
companies directly. However, it is our responsibility to ensure that additional requirements on our software are rapidly implemented
so that our customers remain compliant. This is particularly relevant] when a company is using electronic records.
There's really two pieces [to what we do]. The first is: How do I manage my response to that regulation? [And second,] whether
my response is to change a policy or procedure in the company or implement a whole new set of controls in an automated fashion....
Some of those decisions are enabled by software.... Fifteen years ago...one of the key things was lot traceability: How do
I know ... what got made where, so if there's a problem, I could take it back? ... [companies at the time didn't have that
feature producing software for enterprise resource planning (ERP)]. So it was a way through the inventory process...because
it was a fundamental business process [it] was dealt with within software. But the decision ultimately of what to do is the
business's decision... If [they're] doing a good job at running a compliance program...[they] need to assign somebody who's
responsible. If there's a compliance issue, and there's nobody in the organization who is singularly responsible, that's a
....for the first time, the life sciences industry is feeling the need to manage regulatory compliance across regulations
on a risk-based approach. Often, there is one officer in the company who is charged with regulatory compliance, and this officer
is keenly interested in mitigating risk proactively in a unified governance framework for the company.
[Companies] need a way to communicate....[they] need a way to track issues that occur and manage them in a consistent way....
The very simple economics of doing the right things are ... if I have an effective compliance program, and I can prove it,
and this is where software comes into place.... So the elements of an effective compliance program is sort of the recipe to
a process model that one, lets you have a clear view, and two, when the inevitable occurs and somebody comes after you, you
have a defensible position that you can prove.
That is really the essence of keeping track of anything that happens. [The steps to be taken to investigate incidents, actions
to be taken as a remedy, and what needs to be done to prevent incidents from happening again].
At this point, I asked the discussants to talk about particular requirements that are most challenging.
For each company, a given regulation could impose challenges that are particularly difficult within their specific business.
Sarbanes-Oxley provides great challenges because the extent to which companies interpret and implement regulatory compliance
is sometimes subjective. As a result, companies usually go overboard in an attempt to remove regulatory risk altogether. On
the other hand, with regulations such as 21 CFR Part 11 and the like, the scope is well understood, but the challenge with these initiatives is the cost of validation. Often
the cost and complexity of validation are extremely high, enough to thwart continuous improvement initiatives.
We've helped a number of the large pharmaceutical companies with corporate integrity agreements, and that is where they've
gotten typically into trouble around Medicare–Medicaid billing fraud.