There's a list that no pharmaceutical, life sciences, or food manufacturer wants to be on. It's called the FDA Enforcement Report. Published weekly by the Food and Drug Administration and the Department of Health and Human Services, the list details product recall actions taken against manufacturers.
But even if your company is lucky enough to have skirted the public recall list, you can't afford to let down your guard. If an FDA inspector has visited one of your sites recently, you could receive a warning letter, giving you 15 to 30 days to respond before legal action is taken, which could lead to anything from a slap on the wrist, to discontinuation of a product line, to a big, fat fine.
Clearly, no FDA-regulated company has it easy these days. But pharmaceutical manufacturers may have it the toughest. These companies face very specific FDA guidelines governing drug development and product quality, and the FDA has become more demanding when it comes to enforcing the rules. As a result, pharmaceutical companies are being forced to reevaluate their operational and manufacturing processes and to implement new systems that emphasize agility and support activities such as product quality, lot traceability, and, of course, regulatory compliance.
FDA regulation is certainly nothing new to pharmaceutical manufacturers. Regulations such as the Current Good Manufacturing Practices guidelines have been around for years. But the FDA recently began to take a new approach to enforcing those regulations, according to experts. The agency no longer expects pharmaceutical companies only to comply with regulations such as CGMP; it also wants to see the rationale behind companies' compliance processes.
"In the old world, you recorded the end state in the submission process, which said, 'I ran this process three times. Here are the results and everything looks OK,' " says Hussain Mooraj, research director for life sciences at AMR Research. "But what was missing was, why are you doing what you are doing?"
Drug safety is the driver behind the regulations, according to the FDA. To avoid shipping bad product, many pharmaceutical manufacturers have stepped up testing. "Today, every product made is put under quarantine and they test the hell out of it," says Bob Honor, vice president of Rockwell Automation's life sciences group, referring to pharmaceutical companies' compliance efforts. Ultimately, however, even when they follow FDA orders, these companies are not avoiding risk altogether. "They are just managing risk more selectively," Honor says.
Selective risk management often means following new quality guidelines under the FDA's Process Analytical Technology (PAT) methodology, which states that quality should be built into the manufacturing process "by design." There are also risk management and quality guidelines associated with drug development that are outlined specifically for the pharmaceutical industry. These guidelines, called Q9 Quality Risk Management and Q8 Pharmaceutical Development, fall under the International Conference on Harmonization (ICH), a tripartite group comprising government regulators in the United States, the European Union, and Japan.
While such working guidelines can help pharmaceutical manufacturers get a handle on regulations, following them is not the complete answer to compliance, experts say. Instead, compliance efforts should be undertaken in a holistic fashion, not isolated to a single product line or function. In fact, approaching compliance in a tactical, stovepipe fashion could lead to inflexible processes, the experts say.
Instead, pharmaceutical companies should work on compliance and risk management collaboratively with government agencies, such as the FDA. More important, the companies need to incorporate risk management into the corporate fabric, just like the IT infrastructure. It must be defined in detail with a top-level strategy, an organizational structure, a model of categories, tools to measure and monitor risk, and ongoing optimization.
"Leading organizations, like Novartis, Merk & Co., and Shering-Plough, look at compliance as part of the operational excellence initiative," says AMR Research's Mooraj. "When you do compliance, it should not be done for the sake of nonconformance, but to better your processes."
Proactive Practices
Unfortunately, risk management practices at most pharmaceutical companies today are "detective in nature, reactive in approach, and siloed in practice," according to a recent report from KPMG LLP that outlines specific ways that pharmaceutical companies can improve their risk management frameworks. Research for the paper, called "Pressure Points: Risk Management in the Pharmaceutical Industry," was done in conjunction with professors at MIT's Sloan School of Management, the Wharton School of the University of Pennsylvania, and the Darden Graduate School of Business Administration at the University of Virginia.
The report concludes that there is no "shrink-wrapped" solution that fits every business, but there is an overarching framework under which companies can mitigate risk. That framework, the report says, should include proactive operational practices and a governance structure to improve risk oversight.
One of the biggest challenges facing pharmaceutical companies attempting to take a strategic approach to risk management is the global management of information. "It's easy to do in one facility, but that's not the reality," says Dennis Constantinou, senior director of life sciences strategies and marketing at Oracle Corp. "Multinational companies have manufacturing facilities globally, a variety of cost centers, and a complicated supply chain. The challenge is how to manage all of that information in a compliant fashion."
There are technology tools, such as Oracle's Process Manufacturing application, that can help by automating the lifecycle management for recipe-based manufacturing. Oracle Process Manufacturing, Constantinou says, supports more than 80 of the FDA-defined CGMPs right out of the box. Oracle also points to its Fusion middleware applications that can help manufacturers integrate with legacy systems. On top of that, a company could apply analytics to perform business intelligence and provide reports, he says.
For SkinCeuticals, a division of L'Oreal USA, Oracle's ERP, used in conjunction with ClearOrbit's Gemini supply chain data collection software, has improved lot traceability, which, officials say, is the company's biggest high-risk item.
SkinCeuticals, founded in 1997 and sold to L'Oreal in 2005, falls under the category of "cosmeceuticals," which are cosmetic products with drug-like benefits. SkinCeuticals, for example, makes topical solutions that protect the skin from premature signs of aging. The FDA does not currently regulate cosmeceutical companies, but that doesn't mean it never will. As a result, SkinCeuticals has incorporated a strategy that builds upon many of the pharmaceutical regulations. And traceability is job one for the company.
"If something happened on the inbound of the supply chain, like a contamination, I need traceability," says Timm Elrod, SkinCeuticals COO. While he doesn't have to answer to the FDA, he does have to answer to consumers and now — as part of L'Oreal — to shareholders. If something that is tainted is distributed, "there's a legal risk and a risk to the brand as well," he says.
Indeed, no company wants to risk its reputation. SkinCeuticals pioneered the process of dispensing cosmetic products through dermatologists and doctors, coupling medical advice with products. The business evolved so fast that the company had to figure out how to maintain its supply chain while keeping track of many small transactions that create high volume. The company has more than 6,000 accounts in the United States, many of which are shipped individual products. Therefore, the SkinCeuticals service model needed speed, flexibility, and an automated way to capture information.
"If the supplier calls me and has an issue with an ingredient, I need to tell what products it went into, who it was shipped to, and when. There has to be a lot of record-keeping," Elrod says.
The process Elrod designed uses the ClearOrbit application to feed production information back into the ERP system and also captures shipping information. "ClearOrbit sits in the middle and orchestrates conversations between Oracle, UPS [United Parcel Service], and activity on the floor," Elrod explains. It even captures the UPS tracking number and the information on the printed label describing everything in the box. As a result, if a product is called into question for any reason, backtracking does not mean weeding through a maze of transactions, Elrod says.
As SkinCeuticals has learned, simplifying and standardizing are the keys to managing risk. For example, the FDA's PAT guidelines outline a system for designing, analyzing, and controlling manufacturing processes through measurements. The goal is to create a repeatable process that can be reapplied across the board.
"With PAT, if you can prove you have a model for the manufacturing process, [the FDA] will accept the output of that process without testing it because it is following a standardized proven process already," says Rockwell's Honor. "It has the potential to change the dynamics."
Friend, Not Foe
But pharmaceutical manufacturers aren't the only ones looking to change the dynamics of regulation. The FDA, itself, is seeking ways to work more effectively with pharmaceutical and other regulated companies. Part of the problem with regulatory agencies, such as the FDA, is that they often communicate only with the regulatory group inside the company, and not the manufacturing team responsible for implementing the plan.
Recognizing this disconnect, the FDA is teaming up with Conformia Software, a purveyor of software that manages a product's overall development cycle, including research and commercial manufacturing. The two are conducting educational workshops, inviting major pharmaceutical manufacturers to engage in conversations with FDA investigators. The goal is twofold: The FDA wants to understand the obstacles associated with drug development, and pharmaceutical manufacturers want to gain insight into what compliance with the Q8 and Q9 initiatives entails.
The real purpose of the workshops is to get corporate regulatory heads, IT managers, and FDA inspectors together in one room in an amicable atmosphere. "That is unprecedented," says Joe Prang, CEO of Conformia Software. Risk management and quality by design "are not just scientific issues, but an IT issue as well, [which means] you have to bring business and IT into the same room with the FDA and the regulatory teams." Often, it can be an incoherent conversation because "they don't all speak the same language," Prang adds. But it's a discussion that has to happen, which is why Conformia is helping to facilitate the meetings. "Everyone is trying to figure out how to get harmonization and standardization," he says.
To that end, what pharmaceutical companies really need in order to create a consistent, holistic approach to risk management is new C-level executive involvement, experts say. Many companies have appointed chief compliance officers (CCO) as a way to demonstrate to regulatory agencies that they are committed to compliance. But the role is often not well-defined, industry observers say, and the individuals responsible are not always given the respect they deserve from R&D and manufacturing departments.
"The CCO is essentially a nonconformance project manager relegated to implement certain policies that may or may not be adopted enterprise-wide," says AMR's Mooraj. The CCO needs to be empowered, he says, perhaps with the creation of a cross-functional executive team that factors in how compliance projects can enhance processes.
That team would be responsible for implementing consistent compliance efforts enterprise-wide, with the greater purpose of building a more efficient business. "Instead of shoehorning additional processes into existing ones just to comply with CGMP regulations, look at the processes to see how to build better ones that not only allow the company to streamline work and create efficiencies, but, at the same time, make it easier to become compliant," AMR's Mooraj says.
The bottom line: Pharmaceutical companies have to start somewhere. Risk management is a broad category, which can make it difficult to figure out where to begin. In SkinCeuticals' case, Elrod took a "theory of constraints" approach to figure out what obstacle is keeping the company from the next step. "Understand the true complexity of what you are doing," Elrod says. "But understand it holistically, not just from one agenda, and you'll find a solution that is extraordinarily simple."