New Digital Regulatory Requirements in Pharma

By Karl-Heinz Loebel
Director, Principal Consultant Regulatory Operations, Industry and Agency Liaison

Industry is juggling numerous challenges in a rapidly changing regulatory environment, made more complex by shifting legal goalposts and new requirements by the health authorities. Perhaps the most significant change for industry is the growing emphasis on digital submissions, as regulatory authorities seek to move away from documents and toward data.

Some of the new digital requirements to which organizations must adapt include the IRIS platform (Interactive Regulatory Information System) for reporting marketing status, preparation of European Medicines Agency-coordinated inspections and the submission of scientific advice or orphan designation applications and the Clinical Trials Information System (CTIS) to support the new Clinical Trials Regulation, as well as the SPOR data management services for the centralized management of master data and the long-awaited upgrade to eCTD 4.0.

These new platforms and requirements mean companies will need to get used to submitting data to the regulators, for example, by simply updating data sets for a product on the agency’s portal. This is an entirely new way of working both for industry and the health authorities, which brings with it the need for new skills and a better understanding of how digital workflows function and the consequences of inputting data into that database. It requires a more structured way of thinking about the processes and about the information collected and entered into a database, since the highest risk of inaccuracy is human error when entering data.

The structure of regulatory functions will inevitably undergo internal disruption to ensure clear focus on relevant processes and information. That will require increased use of virtual tools to leverage specific information in order to conduct intelligent queries.

Process change means re-harmonization

The digital transition also will put pressure on companies to reharmonize processes between functions and even between teams within the same function to ensure how data is gathered, entered and managed is consistent. This is an age-old issue for pharmaceutical companies, which have long operated in siloes, with each department having their own IT systems, their own databases and their own ways of collecting and storing data. To leverage that information for submissions, regulatory affairs has had to devote time and resources to taking data out of one database and typing into a different database — over and over again. The result of these multiple transfers is that errors are likely to be introduced, meaning information is inconsistent.

To overcome these problems, companies have sought to harmonize, often by introducing a unified system or tool. Unfortunately, these solutions are extremely costly and require complex and time-consuming data migration. Furthermore, it often turns out that this unified or all-in-one solution cannot easily adapt to new regulatory requirements from the health authorities.

Furthermore, global companies must be ready to address the different technological and digital requirements of multiple health authorities in order to sell their products worldwide. Thus, the solution needs to be versatile enough to adapt to different agency expectations and changes, which typically precludes large, inflexible solutions.

At the same time as electronic submission requirements have become standard, smaller and mid-sized companies have made their own investments in IT infrastructure, such as publishing tools, regulatory databases and regulatory information management systems. For these companies, a harmonized approach to address new digital requirements means finding a suitable solution – one that is not too expensive and that is flexible enough to be tailored to their size, product portfolio and geographic reach. What these smaller companies need to avoid is implementing large systems that turn what was a simple task into a solution with 100 or more different elements for every process, most of which are of no value to the company.

What this means is there can never be a one-size-fits-all approach. Rather, companies need the flexibility to adjust to digital requirements while retaining the wealth of information that resides within the business. Ideally that bridge between regulatory requirements and institutional knowledge would be supported by subject matter expertise that spans data informatics and regulatory or R&D – not only within companies but also at the health authorities.

An important consideration with digitizing the business is that regulatory is just one aspect for IT and informatics departments to manage. However, it is also the area with the most complicated requirements, because regulatory is responsible for transmitting information to the health authorities. For example, to submit an application to the European Medicines Agency, regulatory departments must run specific software that violates most common corporate security rules. That creates a huge disconnect between what regulatory does and the way IT implements systems and firewalls. Overcoming these discrepancies is far from simple.

Shift to the cloud

While sharing information between companies and health authorities through digital portals poses challenges, digital regulatory requirements are resulting in one overarching trend: a steady shift to the cloud for the exchange of information. This has already started happening at the EMA, where the CTIS and IRIS platforms create a common workspace that industry and regulators can work on and contribute to.

Again, while the change does streamline processes, it does bring complications, particularly with regard to how companies manage their intellectual property. Previously, companies would compile and develop regulatory documents internally and, until submission, the information or data was solely within the domain of the company. Moving to a shared domain means the company’s IP is now transparent to the regulatory authorities from the start of a submission compilation.

The broader implication is that not only is the data now not held behind a firewall, but there is also a need to ensure everyone within the company has access to that shared environment in order to work in that space. And if a person leaves the company, IT must ensure their access privileges are withdrawn. This creates a complex level of user management and user access necessary to support the submission, which means having additional resources, not only to handle the submission, but also to enable or withdraw user access to external systems.

The right timing

With so much change and digital complexity to manage, the question for companies is when should they develop their implementation plans for new regulations? Again, the answer to that is not simple, especially given changing regulatory timetables and, sometimes, decisions by the authorities to shelve projects.

As an example, in 2011 the EMA announced in a brief press released that it was closing its PIM (Product Information Management) project. Most companies had been doing groundwork in preparation for PIM for five years, investing significant amounts of money into technology to support the project. Any solutions developed could not have been used for other purposes.

There are constantly changes in how or when an agency project develops, so companies should ensure that any investment they make is of benefit to the business, independent of the regulatory requirement. Consider how a change might impact the business from a technical point of view and whether the process can be easily adapted to a change in direction from the health authority. A successful and cost-efficient solution rollout depends on flexibility, and that means placing the emphasis on process and adaptability over hasty investment in a large, one-size-fits-all technology platform.

Digital regulatory requirements are inevitable and broadly to the benefit of the industry, regulators and patients. However, they create complexities for which there are no easy answers. Companies will need to adopt a tailored and considered approach that balances the broader business need with the technology requirements presented by the regulations.