Manufacturing companies are increasingly subject to new compliance frameworks that need to be understood, incorporated, and adhered to in order to stay in business. Manufacturing compliance is increasingly a concern as a result of new regulations, and globally connected supply chains where products are made and consumed across multiple jurisdictions.
In an age of total transparency, the entire reputation of a business can rest on a single system error or the misguided action of a single employee. Compliance violations can lead to intervention by the authorities with a loss of reputation, financial damage, and criminal liability.
IT is an enabler
Manufacturing IT, owing to its role in the underlying business processes, is a key enabler of compliance. Yet poorly managed IT systems can also pose a significant compliance risk to the businesses. Badly designed software or legacy systems that have not been maintained can continually be in violation of several regulations and standards, without the business owners even being aware of this.
Compliance is not something that can be bolted-on; it needs to be intrinsic to the design and selection of each process supported by the IT system. Proper control systems should be in place to ensure that these systems are then maintained in accordance with the necessary standards.
Manufacturing compliance is subject to several regulations and standards, as well as industry and technical requirements throughout the value chain. Areas such as product safety, data control, and privacy, export controls, traceability, manufacturing records, environment, health and safety, product safety, employment, and financial reporting, are all compliance areas subject to various regulations and standards.
Examples of applicable standards in regulated industries include the FDA standards on Good Manufacturing Practice (GMP) and the Code of Federal Regulations (CFR). Other industries that do not fall within the scope of the FDA might be regulated by several standards such as ISO, and IEC, etc. Corporate reporting and access to funding might be regulated by Sarbanes-Oxley, Basel, the Equator Principles, and so on.
Bridging the disconnect
There is typically a large disconnect in compliance awareness at the different levels of the business (A.T. Kearney study, 2013). In general, compliance tends to be much more of a concern of top management, while lower levels in an organisation often view it as an unnecessary administrative burden or obstacle to doing ‘real work’.
The role of properly designed and implemented IT systems in ensuring compliance is significant. There are several ways in which IT can support compliance such as:
- Business processes that are designed to enforce the necessary disciplines and controls.
- Proper handling and storage of electronic records.
- Compliance related information dissemination and transparency.
- Information security.
- Well-designed business processes can enforce adherence to compliance processes and standards. But, the average user might complain about the “unfriendly” ERP system without realising that these systems are embedding multiple compliance objectives. It is therefore important constantly to sell the importance of these compliance objectives to these users.
Compliance in IT needs to be viewed holistically because it applies to all levels of the manufacturing system, from plant level sensor, process control, manufacturing execution, business process management, systems of record, analytics, and reporting. When companies are organised in silos, this holistic view of overall system compliance is broken down. In response, some companies will set up a separate compliance function reporting directly to the board that operates across all functions.
As with all IT systems, the technology itself is less important than the way the system is implemented and managed. Various internal frameworks exist to manage compliance include CoBIT, ITSM, COSO, etc. Implementation of these frameworks can often be fragmented and sporadic owing to their complexity and sheer weight. To add to this, fast-moving technological trends, such as mobile computing and cloud-based services, can run ahead of existing IT governance processes. In practice, employees and middle management then simply bypass IT controls to do their work. A balance, therefore, needs to be found between heavy governance frameworks and the need to support new agile processes needed by the business.
Manufacturing IT professionals at all levels must be familiar with the applicable compliance standards in their industry and ensure that all areas of IT, systems development, and implementation take these into account.
Regulated environments pose additional challenges
In regulated environments, IT systems will need to be validated. Validation ensures that the system meets the required standard and that it will remain compliant. Key elements of validation include audit trails, secure access, secure electronic transactions, etc. Validation also requires examination of the system functionality against requirements, the examination of the way systems are specified, designed, developed, tested, and maintained, and the associated change control processes. Organisational elements in terms of resources, skills, and awareness also need to be tested on an ongoing basis.
It is important to design validation into the ongoing manufacturing business processes and not just regard it as a single event. A management control system should be implemented around those processes with the highest risk of non-compliance. The system should record deviations from the standard, assesses the associated risk and compliance aspects, and follow through with corrective actions and feedback.
In conclusion, manufacturing system compliance is a critical competency of any manufacturing company. IT can play a vital role in ensuring that compliance is designed into the processes and managed on an ongoing basis, but this does require a level of maturity and awareness in the business as to the importance of being compliant in order to stay in business.
This article was first published on SA Instrumentation and Control.
