Insights
Understanding, experience and technology for success

Home > Library > Insights

Using a Compliance Platform to build Custom Compliance and Quality Applications

Despite the availability of off-the-shelf compliance and quality applications in the market, many organizations still choose to develop custom compliance software to support their unique business processes and reporting requirements in their environment. The cost of ownership of such custom applications is high due to long development timeframes and higher on-going maintenance costs. This paper suggests that using a compliance platform as a starting point dramatically reduces the cost of ownership of a custom-developed application. The paper also provides an important checklist if you or your organization is contemplating developing a custom compliance and quality application

Packaged Compliance and Quality Applications
Organizations are successfully implementing enterprise-wide compliance and quality systems to gain visibility and control over key quality processes across their operations and to ensure compliance with government regulations, industry mandates, company policies and internal initiatives. If quality is not managed in a systematic, enterprise-wide manner, it can result in line shutdowns, reduced employee productivity, higher internal costs, loss of key customers, and slower revenue recognition. Not achieving compliance with government regulations can lead to penalties, fines and plant shutdowns. Gaining enterprise-level visibility into key compliance and quality metrics is critical to managing risk and implementing continuous improvement practices throughout the organization.

An enterprise-class compliance and quality system enables companies to identify, track, manage and correct issues and exceptions in key operational processes. Such systems contain the following capabilities:

  • Audit Management that enables organizations to create audit checklists and schedules, define qualitative or quantitative pass or fail criteria for each audit checklist component, record detailed observations, report results and ensure that the entire process can be implemented with appropriate audit controls and approvals
  • Inspections that enable an organization to define product inspection criteria and sampling plans, specify qualitative and quantitative inspection criteria and acceptance levels for each attribute, collect attributes data, calculate CPKs from inspection data and compare against acceptance levels to monitor manufacturing process control or incoming part variance levels and identify non-conformance
  • Adverse event reporting that enables an organization to capture and report adverse events such as workplace accidents or hazardous material spills
  • Non-Conformance tracking that enables the identification and recording of material and process non-conformances, tracking of these issues across the organization and routing them for further review and approvals to determinate disposition such as corrective actions.
  • Corrective Action/Preventive Action (CAPA) to deploy a structured process for collaboration among problem owners, coordinators and team members to identify core issues and document the actions to be taken to resolve the problem to correct the nonconformance or to prevent the recurrence of the problem
  • Change Control including updating existing SOP (Standard Operating Procedures) or creating new SOPs; updating other documents; recalibrating equipment, (re) training employees etc to implement the actions identified in the CAPA process. The change control process also leaves an audit trail, which is critical for regulated environments.
  • Training including management of training offering, schedules and enrollment, maintaining and reporting on training records for regulatory requirement, course material routing and approval and providing feedback on instructor and course material effectiveness for closed-loop control.
  • Reporting and Dashboard capabilities generate specific metrics on the performance of closed-loop corrective action process and create reports about compliance with various regulations such as FDA or EH&S.
  • Document Management that serves as a central repository for all relevant documents and records with support for search and view, change-request lifecycle (check-out, update, approval cycle, notifications and check-in with version control), distribution control (set controls on the distribution of sensitive documents and generate detailed reports by document type and distribution list) and an audit trail for history tracking.
  • Security to ensure that unauthorized access to any record is strictly prohibited and the application implements specific capabilities such as encryption, electronic signatures etc to support specific regulations.

Off-the-shelf compliance and quality software are increasingly being implemented by large and small companies across various industries to address regulatory compliance issues (such as 21CFR part 11 or OSHA) or customer-mandated quality processes (such as implementation of QS9000 or TS16949 by suppliers in the automotive industry) or to support internal quality initiatives (such as an implementation of ISO9000 or six-sigma).

Why build custom compliance and quality software?
Many organizations have unique audit and corrective action processes that require collection of very specific transaction data. In addition, such processes may also have very unique workflows and reporting requirements and require integration with multiple proprietary systems for specific process data. These scenarios abound in a large-distributed organization when one is automating an audit of a service process or corrective action in a supply chain process or compliance reporting for a very specific industry regulation. It is also very common for a company that is implementing leading edge best practices to have very unique data collection and process workflow requirements.

As a result, off-the-shelf compliance and quality systems do not entirely map to such a scenario unless the application is heavily customized. Hence many organizations opt to build their own custom compliance and quality applications to support their unique data collection, process workflow and application integration requirements. In addition, some organizations may start with an off-the-shelf application and add custom modules to support a specific audit process or a unique regulatory reporting requirement.

Please click on image for enhanced version

Key components of a custom compliance and quality software
Once an organization has decided to custom build their own compliance and quality application; they would need to incorporate the following elements within their custom application.

  • Management of both unstructured and structured data: Quality and compliance applications are very document extensive and require the application screens, workflows and database to support the management of both – structured and unstructured data. This requirement creates additional design considerations for system audit-ability, security and performance.
  • Document Management: The custom application needs to support document access and control capabilities such as search and view, change-request lifecycle, controls on the distribution of sensitive documents and an audit trail for history tracking. Such capabilities enable creating, revising, approving, viewing, printing and archiving controlled documents such as Standard Operating Procedures (SOPs), Work Instructions, Policies and Certification documents.
  • Modeling quality & compliance objects: The custom application will need to model and implement various compliance and quality objects such as audits, issues, approvals, action items, checklists etc because such objects form a key component of any Internal Audit Management, Material Inspection, Corrective or Preventive Action and Change Control applications.
  • Real-time Event Management Sub-system: The custom application will need to provide capability to the user to define customizable rules that trigger events and provide mechanisms for appropriate programmatic actions within the application when an event occurs. This event management capability has to be scalable, reliable, and extensible.
  • Electronic Signatures and other compliance requirements: If the organization is creating a custom application for an FDA regulated environment, they have to support 21CFR Part 11 requirements. These include:
    • Product requirements such as electronic signatures
    • Audit requirements such as use of a development lifecycle methodology

The custom application must support the ability to capture username, password and purpose-related data for any transaction and log that information for audit purposes. It should also provide automatic user lockout after a finite number of failed attempts.

Dashboard, Reporting & Metrics: The custom application needs to provide a library of key metrics and user configurable reports/dashboards that leverage the metrics and data to provide quick visibility into process status and performance. The custom application must also provide a reporting wizard and integrated capabilities for charts and in-context drilldowns.

  • Integration with external systems: The custom application needs to provide a mechanism for easy integration with other applications and cost-effective on-going maintenance of such integration over time.
  • Offline Access: Many activities such as audits and inspections can be done more effectively if the users had offline access to the application. The custom application must support offline access capability, if the business process requires such a capability.
  • Engaging casual users: One of the key factors for successful compliance with regulations is that everyone who interacts with the relevant processes should follow the defined policies and procedures. Typically these procedures and policies are encapsulated in applications that automate the process. Hence, successful compliance requires 100% adoption of these applications by everyone who interacts with the process. However, this requirement also implies that even the most casual users within the enterprise and at suppliers should know how to navigate through the application and should always use it as they interact with the process, making them the weakest link in the compliance process. If the custom application enables casual user to access a relevant form without them having to learn the application then it will enjoy broader access among casual users.
  • Auditability: An application developed for the regulatory environment needs to provide an ability to audit any previous activity on the system. As a result, this capability consists of two separate system requirements: update transactions that do not override previous records, but create new records and providing a metadata of the audit, so reports of the audit history can be easily created.

If such capabilities were designed into a software platform, specifically created for compliance and quality applications, IT organization could reuse such objects and capabilities by building their custom application on such a platform, rather than defining, modeling and programming such capabilities from scratch in a custom application. Modeling and programming such objects can consume over 50% of the overall programming effort in an application.

Any custom application built on a compliance platform automatically gets access to all the common services defined within the platform. As a result, development of a custom compliance and quality application/module is practically reduced to defining and programming the process logic and user interface forms – the application/module leverages the platform for common services that it would have to build otherwise. We estimate that building applications on a compliance platform can save about over half of the initial development effort for a custom application and over 80% of the annual maintenance resource requirements for a custom application. As a result, organizations can build functionally-rich custom applications for compliance and quality at a dramatically lower “cost-of-ownership”.