The Three Essential Elements of Regulatory Compliance and Quality Improvement
In my experience providing consultation services, I observe that many companies rush to implement computer systems. However, computer systems should not be introduced hastily.
To comply with regulatory requirements and improve quality, three elements are essential: Process, People, and Technology. Moreover, they must be implemented in this exact order. In other words, the introduction of computer systems comes last.
The implementation of Process, People, and Technology must be well-balanced.
1. Process
The first element to address is the process. Companies must establish a Quality Management System (QMS) with Standard Operating Procedures (SOPs) that comply with regulatory requirements. The first step in quality improvement is process revision. Companies with particularly complex procedures need to revise their QMS to make it simple, easy to understand, and easy to modify. It is also important to eliminate “unreasonable demands” and “waste” from processes.
Process revision is relatively easier compared to the other two elements because it simply involves establishing compliance with regulatory requirements. When revising processes, companies should adopt a risk-based approach in accordance with ICH Q9 (Quality Risk Management) and consider the principles of ICH Q10 (Pharmaceutical Quality System). These international standards emphasize the importance of designing processes that are not only compliant but also scientifically sound and continuously improvable.
Furthermore, in today’s regulatory environment, ensuring data integrity has become paramount. Regulatory authorities including the FDA, MHRA (UK), and WHO have issued guidance emphasizing that processes must be designed to ensure the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available). This means that when designing processes, companies must consider how data will be generated, recorded, processed, retained, and reviewed throughout its lifecycle.
2. People
Once process revision is complete, People Management becomes critical. Process and personnel are like two wheels of a vehicle. Quality improvement requires a balance between process power and people power. As mentioned earlier, while processes can be determined relatively easily, personnel often cannot follow (or are unable to follow). This is because people cannot change immediately.
Within People Management, Change Management is particularly important. Companies must minimize confusion accompanying process changes and transition to new processes in the shortest time possible.
In Change Management, education, training, and coaching must be implemented in that order. Many companies only provide education (classroom learning). Using a driving school as an analogy, education is equivalent to classroom instruction.
Classroom instruction alone cannot enable someone to drive a car. On-road training corresponds to practical training. After process changes, confusion often occurs. Therefore, through training, companies need to keep the period of confusion short and shallow. Additionally, even after new processes are launched, continuous coaching is necessary to provide ongoing guidance for quality improvement and efficiency enhancement.
The Role of Education, Training, and Coaching
Education provides theoretical knowledge and understanding of “why” things must be done in a certain way. This includes understanding regulatory requirements, the scientific rationale behind procedures, and the consequences of non-compliance.
Training develops practical skills through hands-on practice in a controlled environment. This allows personnel to apply their theoretical knowledge to actual tasks before performing them in a production or clinical setting.
Coaching provides ongoing support and feedback as personnel perform their duties in real-world situations. Effective coaches observe performance, identify opportunities for improvement, and guide personnel toward excellence.
The Critical Role of Auditors
The area that companies must most fully develop is their auditors. As I have mentioned several times in this newsletter, without competent auditors, companies cannot properly maintain their QMS and organization, nor can they improve the effectiveness of their QMS. For regulatory authorities, a reassuring company is one that has competent auditors.
Competent auditors must possess not only deep knowledge of regulatory requirements but also the ability to assess risk, understand scientific principles, and evaluate the effectiveness of quality systems. They should be trained in audit techniques that go beyond mere checklist compliance to truly assess whether processes achieve their intended quality objectives. According to ISO 19011:2018 (Guidelines for auditing management systems), auditors should be competent, independent, and follow a risk-based approach to auditing.
Modern auditors must also understand emerging technologies and their implications for data integrity, cybersecurity, and computerized system validation. With the increasing adoption of cloud computing, artificial intelligence, and digital technologies in regulated industries, auditors need to expand their expertise beyond traditional GxP knowledge.
3. Technology
Computer systems should be introduced only after processes have been established and personnel have been educated and trained. Companies often mistakenly believe that introducing computer systems will improve processes, but this is a significant error. Companies must keep in mind that “implementing systems while processes are in chaos only systematizes the chaos.”
If computer systems are introduced after processes have been optimized and personnel have been educated and trained, regulatory requirement violations will decrease, leading to efficient quality improvement and, ultimately, cost reduction.
Computerized System Validation and Data Integrity
When introducing computer systems in regulated environments, companies must follow established validation principles. The GAMP 5 (Good Automated Manufacturing Practice) guide, published by ISPE (International Society for Pharmaceutical Engineering), provides a risk-based approach to compliant computerized system validation. The validation effort should be proportionate to the risk the system poses to product quality and data integrity.
Key validation activities include:
User Requirements Specification (URS): Clearly defining what the system must do from a user and regulatory perspective.
Risk Assessment: Identifying potential risks to product quality, patient safety, and data integrity, and implementing appropriate controls.
Validation Planning: Developing a comprehensive plan that addresses installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ).
Traceability: Ensuring that requirements are traceable through design, testing, and operation.
Change Control: Implementing a robust change control system to manage modifications throughout the system lifecycle.
Periodic Review: Conducting regular reviews to ensure the system continues to meet its intended purpose and remains in a validated state.
Emerging Technologies and Considerations
In recent years, the pharmaceutical and medical device industries have seen rapid adoption of new technologies including cloud computing, Software as a Service (SaaS), artificial intelligence, and machine learning. While these technologies offer significant benefits, they also present unique validation and compliance challenges.
For cloud-based systems, companies must carefully assess vendor qualifications, data security measures, business continuity plans, and the ability to maintain data integrity and regulatory compliance. The FDA’s guidance on using electronic records and electronic signatures (21 CFR Part 11) and the EU’s Annex 11 to the GMP guidelines provide requirements that apply regardless of whether systems are on-premises or cloud-based.
With AI and machine learning, additional considerations include algorithm transparency, validation of training data, and ongoing performance monitoring. Regulatory authorities are developing frameworks for these technologies, and companies must stay current with evolving requirements.
The Balanced Approach: A Summary
The following table illustrates the relationship between the three elements and their implementation sequence:
| Element | Implementation Order | Key Activities | Common Pitfalls | Expected Outcomes |
| Process | First | • Regulatory gap analysis• Process mapping and optimization• SOP development• Risk assessment• Data integrity considerations | • Overly complex procedures• Lack of risk-based thinking• Insufficient stakeholder input• Neglecting data lifecycle | • Compliant, streamlined processes• Reduced variability• Clear documentation• Improved data integrity |
| People | Second | • Education (classroom)• Training (hands-on)• Coaching (ongoing)• Change management• Auditor development | • Education only, no training• Inadequate change management• Insufficient coaching• Weak audit function | • Competent personnel• Smooth transitions• Sustained performance• Strong quality culture |
| Technology | Third | • Requirements definition• Risk-based validation• Supplier assessment• System implementation• Lifecycle management | • Premature system implementation• Insufficient validation• Neglecting vendor qualification• Poor change control | • Efficient operations• Improved data quality• Reduced errors• Enhanced compliance |
Continuous Improvement and Quality Culture
Implementing Process, People, and Technology in the correct sequence establishes a foundation for continuous improvement. However, companies must recognize that quality improvement is not a one-time project but an ongoing journey. The principles of ICH Q10 emphasize the importance of a pharmaceutical quality system that includes continuous improvement and knowledge management.
Effective quality systems include:
CAPA (Corrective and Preventive Action): A robust system for identifying root causes of problems and implementing effective and sustainable solutions.
Management Review: Regular senior management reviews of quality system performance, including key metrics, audit findings, and improvement opportunities.
Knowledge Management: Systematic approaches to capturing, retaining, and sharing knowledge across the organization, particularly as personnel change over time.
Quality Culture: An organizational culture where all personnel understand their role in ensuring product quality and patient safety, and feel empowered to raise concerns and suggest improvements.
Conclusion
In conclusion, successful regulatory compliance and quality improvement require the balanced implementation of Process, People, and Technology—in that order. Companies that rush to implement technology without first optimizing their processes and developing their people will find themselves systematizing chaos rather than achieving efficiency and compliance.
By following this systematic approach, supported by risk-based thinking, robust change management, and continuous improvement principles, companies can build quality systems that not only meet regulatory requirements but also enhance operational efficiency, reduce costs, and ultimately better serve patients and consumers. The investment in getting processes right first, developing people second, and implementing technology third will pay dividends in sustained compliance, improved quality outcomes, and competitive advantage in an increasingly complex regulatory landscape.
Regulatory authorities worldwide increasingly recognize that companies with mature quality systems—characterized by well-designed processes, competent personnel, and appropriately validated systems—present less risk and require less intensive oversight. Therefore, the systematic approach outlined in this article is not merely a best practice but a strategic imperative for companies operating in regulated industries.
Comment