OR WAIT null SECS
For pharma companies large and small, one of the most pressing challenges of the next few years will be to understand compliance at a much deeper level, to obtain the tools to make it possible.
Sarbanes-oxley, 21cfr part 11, hipaa, pharmaceutical cgmps for the 21st Century: The industry has been hit in the past three years with a regulatory load unprecedented in its depth, breadth, and complexity. And because record-keeping, security of records, and auditability are at the core of what the federal government seems to be trying to accomplish, information technology is at the core of pharma's response. Across the industry, companies are scrambling to gain more complete control over their data.
In truth, say technology providers, the problem is even more complex than many in the industry realize. On the one hand, pharma faces far more compliance issues than the usual culprits. Not only are there complex new regulations emerging on the state level, but also pharma is increasingly forced to respond to customers, standards organizations, and internal initiatives in ways that mirror what is happening on the federal regulatory front. And the double whammy of Sarbanes-Oxley and 21CFR Part 11 looks less like a pair of difficult regulations, and more like a single push toward comprehensive control over records of all sorts.
No wonder compliance is front-of-mind for IT executives—and others—at pharma companies. For companies large and small, one of the most pressing challenges of the next few years will be to understand compliance at a much deeper level, to obtain the tools to make it possible, and to turn those tools to solid business advantage going forward.
Dennis Constantinou, senior industry director, life sciences, for Oracle, suggests that it is best to look at compliance as having four levels:
Generic regulations These include Sarbanes-Oxley, the regulations of the Occupational Safety and Health Administration (OSHA), and other regulations followed by a wide range of businesses, not just pharma.
Recent Compliance Regulatory Legislation and Guidance for Life Science
Industry-specific regulations These include not just FDA regulations, but also regulations from the Drug Enforcement Agency (DEA), the requirements of the Health Insurance Portability and Accountability Act (HIPAA), international pharmaceutical regulations, and the specific requirements of organizations such the as the International Standards Organization. A particular area of concern these days is state-level regulation, which is rapidly increasing.
Internal procedures "These include equipment safety procedures, self auditing, self imposed quality procedures," Constantinou says.
Customer requirements, such as contracts "Pharmaceutical companies maintain strong relationships with distribution companies for their pharmaceutical products, both domestically and internationally, as well as compliance with the federal government in terms of contract regulation and pricing," Constantinou says. "How do you work with those customers, even if they're contract manufacturers or suppliers, on quality assurance, on contract management, on electronic data interface and exchange of information?"
Speeding "time to peak efficiency"-How Serono set a new IT goal for itself.
The different forms of compliance may not all be backed by the power of governments, but all of them require retention of secure records and the ability to locate specific pieces of information and generate reports. "They're all interrelated," explains Constantinou. "If you don't have your compliance for the FDA in order, then you run into problems with customer requirements, and potentially you'll run into problems with other regulations." Companies need to look past their response to individual regulations toward a broader strategy of maintaining, analyzing, and protecting data.
One of the hot issues for CIOs today is the Public Company Accounting Reform and Investor Protection Act, better known as Sarbanes-Oxley (SOX), enacted in 2002, which aims to improve the reliability of the audit process.
"I was with a medical products company in Germany last week, and we talked about Sarbanes-Oxley" says Jim Sabogal, director of the life sciences–pharmaceuticals business unit for SAP. "For the most part, the question was, 'We're spending 20 percent of our IT resources on Sarbanes-Oxley. Is that high?' And our answer was yes, that's a lot of resources to be putting in one particular area."
For pharma companies, Sabogal says, SOX should represent familiar territory. "In manufacturing," he says, "you're trying to maintain control over how the whole process is organized and reported. In 21 CRF Part 11, we have a rule that covers digital signatures and electronic records. Because of Enron and all those other folks, the United States has now added that same level of scrutiny to financial records. Any time someone makes a change to a financial record, the technology needs to keep track of who's made the change, so that nobody can go in there and modify a financial record. In our own product we use the same digital signature tool technology that you find in manufacturing."
Sarbanes-Oxley may be difficult and expensive to comply with, but at least it creates a single standard for the whole country. In recent years, and especially in the past year or so, there has been an explosion of state level regulations aimed at curbing particular pharmaceutical marketing practices. "Sixteen states restrict or prohibit drug advertising," says Ronald Buzzeo, chief regulatory officer for Dendrite, and CEO of BuzzeoPDMA (since January, a division of Dendrite). "That can be rebates, that can be coupons, that can be discounts, which will impact what companies can do," he says. "Vermont, since 2004, has required disclosure of certain information about marketing activity directly involving a practitioner. At least six states require reporting and disclosure of advertising and/or gift-related expenditures or budgets. There have been over 60 bills introduced in the first half of 2005 dealing with these issues."
One area commonly regulated at the state level has to do with samples, and how reps can and can't interact with midlevel practitioners, such as nurse practitioners and physicians' assistants. In some states, Buzzeo explains, midlevel healthcare workers can receive a sample but not dispense it. In others, they can dispense but not dispense samples. In still others, they can do both, but only if they have a signed collaborative agreement with a physician. "As a company, how do my sales reps know what they're supposed to be doing?" asks Buzzeo. "If it's a paper-based system, the rep is out there with a piece of paper. If it's an electronic system, the rep goes into the system, and it says, for example, Mr. Jones is a mid-level practitioner in the state of Michigan. He is able to receive my sample, so I can leave it."
Dendrite has built state-level controls into its solutions for sample management and sales force effectiveness, and is in the process of developing a product that will make current state-level regulatory information online.
"The industry best-practice rules for managing compliance are already in the applications," says David Escalante, vice president of product management for Dendrite. "But when we deploy the applications for a particular customer, we have a process to review those baseline requirements, and receive updates from the customer on how they should be updated, based on how they run their business."
The big systems integrators and enterprise resource planning (ERP) providers are actively pursuing solutions to pharma's regulatory challenges, but the field still has many specialized players providing highly focused solutions for specific portions of the business.
In some cases, companies with substantial experience in other industries are adapting their products for pharma's needs. Take, for example, MRO Software, which provides asset-management solutions. The company, whose name stands for the industry abbreviation for "maintenance, repair, and operations," has its roots in heavy manufacturing, such as the auto industry. "All of the welding arms in GM plants in North America are tracked in our database," says Vaughn Harring, MRO's director of public relations. "We know, for example, that these motors need to be replaced every ten thousand or hundred thousand welds. At the right time, up pops a plan on the system. It says, 'We've got to replace the motor in this welding arm on this machine. Here are the parts required. We need a mechanic and an electrician.' Our system talks with the various other systems in the company."
The advantage of using technology to run such manufacturing-related functions as maintenance and calibration is that a computer system like MRO's Maximo Enterprise Suite can bring together a wide variety of information and place it at the disposal of the people who have to do the work. When the system flags a piece of machinery for maintenance, for instance, it can deliver blueprints, drawings, parts lists, maintenance records, and standard operating procedures directly to a laptop or handheld device. Because it is crucial to deliver only the latest, approved version of documents, Maximo, like many compliance-oriented software tools, has been designed to work with standard document management systems. "We interface with Documentum for more generic documents," says MRO's Eric Luyer, manager of industry marketing for global manufacturing industries, "but we do have interfaces with typical engineering documents, drawings, or blueprints of buildings or facilities, or engineering documents with the full details of an asset. We work with partners who are really focusing on those types of applications, and we are working on a strategic level to build integration between those tools."
In other cases, companies are partnering with ERP vendors to develop products that add pharma-specific features to existing systems. For example, content management is a key area for most pharma companies. The industry relies on a large number of documents that relate to compliance: standard operating procedures, recipes, clinical trial results, marketing materials, and many others. It is crucial for companies to be able to control who can change these documents, to track and archive versions, and so forth. Increasingly, companies are using electronic content management systems, such as Documentum, to do the job. But Documentum is industry neutral; it needs to be customized by building in best practices and document types, for example. Several companies have been developing software products that sit on top of Documentum, and adapt it to specific industry needs.
One of the most elaborate add-ons is FirstDoc Enterprise Suite, developed by First Consulting Group (FCG). FCG has been working as a consultant to the industry in deploying content management systems since 1993, and about five years ago decided to take what it had learned and turn it into a software tool, FirstDoc. The product has components for R&D, clinical trials, GMP manufacturing, marketing and sales, and medical information services, to ensure that specific document types are handled appropriately. "For example," says Sarah Powell, FCG's director of product strategy, "let's say you're in the clinical area. You write a clinical protocol, and it has been approved and distributed to your investigators. At that point, if you need to change it, the best practice is not to just modify that document but to create an amendment to it. We've put amendment functionality into the repository that allows them to do that in an automated fashion as opposed to in a manual fashion."
"In the past, says SAP's Sabogal, "pharmaceutical companies in particular have basically gone the route of individual IT islands. They have a different solution to R&D versus manufacturing versus financials. And now, as you try to roll these things up together, it gets to be a technology challenge that is quite expensive. So IT executives are really going to think what kind of investment they have to make now, so that two years from now, when the FDA is asking for pedigree information, they're in a position to deliver it.
"Over the next few years, we're going to see a lot of folks providing major investments, and you really have to think proactively," Sabogal says. "It has to be, 'I invested a year ago in a certain technology, and now I have to do another investment. But it's going to have to last me three or four years, and I want to be able to address all these different compliance issues.' A lot of it will be driven by what's your landscape, what components do you have in it?"
For some larger companies that have grown through mergers, the problem is complicated by the fact that when they made acquisitions, they also acquired disparate legacy IT systems. "Where traditionally they might have had a greater degree of confidence in their compliance within their own companies, they're now responsible for compliance across this much greater landscape than they had before," says Oracle's Constantinou. "That's making them nervous."
In the long run, companies may end up shifting to enterprise-wide applications, designed to be what Oracle's Doug Souza calls "the single source of truth." But for the foreseeable future, it's likely that most companies will be stitching components together. Technology suppliers are looking more closely at issues of system architecture to see how multiple components can be made to work together better.
At the Drug Information Association annual meeting in July, for instance, Microsoft unveiled its new Digital Pharma initiative, designed to make it easier for life sciences companies to share information, collaborate across sites, and implement new technological solutions. The initiative has a number of components:
» written guidance on how to use Microsoft products in a life-science setting
» improvements to specific products based on life-science customer needs (for example, adding PKI electronic signature capabilities to Microsoft Office)
» building the company's internal readiness to deal with customers
» working to create industry consensus.
For many customers in the pharmaceutical industry, the most significant part of the initiative may well be what Microsoft calls its prescriptive architecture guidance for the industry, which aims to document the fine points of handling IT systems in the life sciences. "For example," says Jason Burke, industry strategist for healthcare and life science for Microsoft, "if you get SQL Server and you install it in your data center, in addition to the normal prescriptive architecture patterns that we've given you already, what are the specific things that pharmaceutical companies should be doing in terms of fine-tuning the way they install and manage and operate that server in a regulated environment? Or with a product like SharePoint, which many companies use for collaboration, we might make some specific recommendations on the way they use Active Directory with an LDAP [a common sort of electronic directory] as the authentication method to make sure that the requirements for 21 CFR Part 11 are being satisfied within that collaborative environment."
Microsoft is also looking closely at ways to facilitate the hand-off between unregulated and regulated systems. For example, a clinical trial protocol might start its lifecycle with notes on a napkin at lunch, move on to being an uncontrolled file in Microsoft Word, and undergo revision in a protected collaborative environment, such as SharePoint, before finally being moved to a content management system. "At some point," Burke says, "that document moves from an unregulated state to a regulated state, and in most organizations, the transition period is a bit undefined. They know when it finally gets to the regulated state, but it may be difficult for them to identify the exact point when it occurs. So we're looking at solutions that bridge the gap and that implement electronic policy based controls that are electronically driven, as opposed to paper, SOP–driven."
The goal is not to supplant high-security, industry-dedicated tools, but to give pharma companies the option of employing lower-cost, easy-to-use alternatives to ERP and content management systems. "The historical monolithic application, the über-application that does everything, isn't going to really work anymore," says Paul Mattes, enterprise sales and industry strategist for Microsoft. "Because to the extent that you need to orchestrate business processes within your organization, as well as across organizational boundaries, those applications start to break down and are not as flexible as they could be. So what we're trying to do is say, 'OK, from an interoperability perspective, how can we open those things up?'"
What is the biggest obstacle companies face in adopting technological solutions to regulatory compliance? To Judy Hanover, senior research analyst for the research and consulting company Life Science Insights, the answer is people. "There are a lot of personalities in a drug company," she says, "and getting those people to accept electronic processes is a huge issue. The value proposition in a lot of cases is still unclear. You're asking companies to invest with an uncertain return, and there are horror stories out there. I think things like that have caused a lot of reticence in the industry."
On the other hand, Hanover says, pharma companies have long given regulatory compliance blank-check treatment. The stakes are too high if they don't. As a result, over the next few years, compliance may become the driver that gets pharma companies to adopt technology, with improved business practices as the real payoff. Sarbanes-Oxley, by forcing companies to keep track of how their financial records are calculated, will make it easier to make detailed comparisons. Content management systems will not only preserve an audit trail, but have the potential to speed the creation of clinical trial protocols and regulatory applications through the use of templates, libraries of boilerplate language, and "smart documents" capable of interfacing with ERP systems and databases. State-level reporting requirements on marketing expenditures will put companies face-to-face with the facts of how effective their marketing efforts are.
In many cases, the relationship between regulatory and business benefits will be complex, and the assessment of value may be difficult.
An example: SAP's software has the ability to track pricing, but did not traditionally offer capabilities for tracking and reporting on prices offered to US government agencies—a crucial factor in dealing with Medicare and Medicaid. SAP and its preferred systems integrators—Accenture, Capgemini, and IBM Global Services—worked with a San Francisco-based revenue-management firm, Model N, to develop a government pricing solution to help manufacturers deal with the whole range of federal government pricing requirements: establishing policies, calculating, analyzing, validating, and filing with the appropriate agencies.
"There are very specific compliance requirements around governmental reporting and around the reimbursements associated with government programs," says Steve Zocchi, Model N's vice president of marketing and sales. "There are business requirements placed on the company to provide the most favorable terms to the government, and terms that are consistent with the reimbursement policies of each individual state. And there's a real challenge with managing the data, managing the calculations and policies, and having an auditable, reproducible history in case the government is interested in finding why I've made any of the submissions I've made."
In the absence of a product that specifically addresses government pricing, many companies have gotten by with Excel spreadsheets or with home-grown software. "That's what we did in order to get to where we are today," says Eric Bloom, vice president of information technologies at Endo Pharmaceuticals. "But it's very expensive and very time consuming and makes updates and modifications in our application much more cumbersome than if you just actually have a system that's designed to work well together." For Endo, the home-grown solution, made by SAP, has become increasingly unattractive because of two factors. First, Endo's business has grown rapidly, increasing the complexity of tracking pricing data. And second, SAP's recent upgrades to its products have increased the difficulty—and cost—of updates.
Those are important considerations in adopting improved, comprehensive compliance technologies, but there are others. For example, though it was intended primarily to assist in Medicare/Medicaid issues, Model N's product can also contribute to Sarbanes-Oxley compliance: "It allows companies to get their arms around the revenue lifecycle, which extends beyond the government regulatory application to managing pricing contracts, rebates, and charge-backs and looking at a reproducible, auditable record of what has been done in terms of managing their overall revenue," Zocchi says.
In the long run, though, once compliance has been achieved, the ability to analyze government pricing in depth will become a valuable business capability. "These resources can be used much more productively in terms of looking at the implications of government business and of policies that I apply," Zocchi says. "What will the impact be to my business if I increase my government business? Or what's going to happen when Medicare comes along? The technology becomes a tool that can be much more productive in managing the businesses going forward."
Companies still have a long way to go in adapting technology, says Life Science Insights' Hanover. "I still see companies where everything is done on paper in files, with handwritten signatures. There's a lot more work to be done. I hear estimates from CIOs that as high as 20 percent of their budgets go for compliance—so there's a lot of opportunity for cost savings. But you have to apply sensible business practices to it. There are lots of ways to interpret some of the guidelines, and in some cases, companies have almost gone too far."
Most companies have already had the experience of adopting ERP systems—big implementation projects that in the long run were worth the effort. "In the end, when they were working well, they really did produce some value, and save a lot of effort, and help drive down supply-chain costs," Hanover says. "I think they're going to see the same things from systems that enable compliance, if they give them a chance."