The pharmaceutical industry is overloaded with regulatory documents, such as policies, standard operating procedures (SOP) and working practices, and needs a robust, understandable and effective architecture model to drive compliance. Once the architecture is clearly defined, it’s important that the documents themselves should be easy to use and lead to compliance. Remember, compliance is achieved through simplicity and clarity, not complexity or extensive detail.

The pharmaceutical industry could not function without all of its regulated documents, and there is nowhere where this is truer than in a manufacturing site. The globalization of manufacturing has led to a situation where a single site maybe releasing product to tens of different markets, and it needs policies and procedures that are sufficient to the task. Therefore, there are three fundamental requirements for the For the successful management of the control documents in a manufacturing environment, there are fundamental requirements: you need a clear architecture to define what does and does not go into different documents with a set of rules to keep the documents easily understood, and there needs to be a robust change control process to keep it all in line. Since change control is something usually covered at manufacturing locations, let’s focus on the rules.


In writing the control documents, there are ten rules to guide the creation and management of controlling documents. Ultimately, the guidance is that the documents themselves should be clear, easy to use and lead to compliance.

  1. Aim for simplicity and clarity, avoiding complexity and the drive to cover all eventualities. Organizations must seek opportunities to reduce complexity as this will enhance the likelihood that people will comply, and result in fewer errors.  When organizations try to cover every possible situation, the documentation becomes so complex it becomes practically impossible to remain compliant with it.

  2. Be outcome oriented.  Building on the first rule, it is important to define the outcome required, not the input expected.  When organizations define the input, or activity, then the process can be adhered to without meeting the regulatory obligations set by the regulator.  When the outcome is defined, then the tasks become those that are required to meet the outcome, and compliance is not achieved unless the outcome is right.

  3. Don’t aim for perfection; use a risk-based model. The goal is to develop a good system that is fit for the purpose without a lot of complexity. Inevitably there will be circumstances that are not catered for within the documents; do not expect every possible eventuality to be covered.  High frequency risks must be covered but low frequency high-impact risks are better managed by people reacting to the crisis rather than trying to mandate behavior a priori for every possible event.  Good controlled document architecture requires a risk based approach.

  4. Make processes role based, not job title based. While organizational restructuring happens frequently, organizations must build processes around roles, which will expedite redevelopment or integration of documents. This also allows for the organization to align to local requirements without needing to rewrite SOPs. For a role-based model to be successful, individuals need to have their roles recorded in the learning management system and these roles need to be maintained as responsibilities change.

  5. Ensure different document types have clear guidelines for the different content required. It has to be clear whether a specific document mandates process or simply provides guidance; the selected document type must also reflect this intent.  For example, policy documents set the ambition, a quality management system (QMS) lays out the scope, SOPs define how the scope is to be met and work instructions and other documents cover specific needs without covering all eventualities.

  6. Remember that regulatory documents should not take the place of job descriptions and operational training; they are there to create regulatory compliance.  We often find that many of the tasks laid out in SOPs are there to help people do their job; they do not address regulatory need.  This means that any situation that is not completely aligned with the way things were operationally when the SOP was written, now run the risk of causing unnecessary compliance failure.

  7. Manage all regulated documents in the same repository. Having multiple systems or, worse, no system at all, makes it difficult to view the entire portfolio.  If documents are in different locations then employees run the risk of not knowing where to look for the definitive version of documents. It becomes difficult to quickly assess the impact of a change and there is a significant risk of personally held (and therefore uncontrolled) versions being used to execute critical processes.

  8. Manage local variations locally.  Local organizations are accountable for ensuring that they meet the obligations put on them by the global organization and by their local regulator.  When there is a conflict between these two then the local wins, if there is no conflict then global takes precedence.  Trying to incorporate local requirements into higher level documents often leads to increased complexity. Organizations should allow local variations to be managed locally rather than globally.

  9. Ensure vital training is proportionate to the level of involvement.  If a role is central to the execution of a process then organizations need to make sure that the right people have received training.  If, however, a role is involved only occasionally in the process, or influences only a small section of it, then the training for that role needs to be appropriate for the level of involvement.  This requires on-demand training and training courses that target sub-components of the process.  Training everyone on everything is neither popular nor effective.

  10. Make sure that creating and deploying new documentation and processes is not a “once and done” activity.  Organizations must enable the business to support continuous improvement and monitoring of the document portfolio.  They must also establish robust governance processes and infrastructure to provide effective oversight of the portfolio and enable rigorous monitoring to identify areas of weakness and opportunities in the portfolio.


Craig Wylie is a life sciences and healthcare industry expert at PA Consulting Group. You can contact him via Follow PA Consulting Group on twitter @PA_Consulting.