Designing Fit-for-Purpose GCP SOPs: What About Policies?

In our last post in our series on designing fit-for-purpose GCP SOPs, we calculated the cost of a single quality document. Today we consider a document type that doesn’t always add a lot of value:  Policies.

Policies, defined by ASQ as “statement[s] of intent or commitment[s] for achieving an objective,” are standard features of a GXP Quality Management System. Most systems are headed by a Quality Policy or policy-like Quality Manual. Under GCP, sponsors may have policies for adverse event reporting, information security, privacy, record retention, 21 Code of Federal Regulations Part 11 adherence, electronic signatures, and conflict of interest.

In theory, policies provide a foundation for the quality management system by describing commitments to objectives, whereas SOPs outline execution steps for achieving those principles. For example, a record retention policy might state that the company is committed to retaining records for the timeframes required by laws, regulations, and GXPs, whereas a record retention SOP might outline the roles and responsibilities for classifying, archiving, and destroying records.

In practice, though, policies can add a lot of unnecessary bulk to a quality management system. It doesn’t take too many words to say, “We commit to retaining records for their required retention periods,” so policy writers tend to pad policies with verbiage that may conflict with a supporting SOP. (A frequent exclamation in our office: “Are they getting paid by the word?”) We’ve also seen policies articulate commitments that are not addressed in any SOP, which means the organization has no plan to operationalize the policy.

Policies are useful when they describe codes of conduct that permeate employees’ actions in a variety of situations.  An anti-sexual harassment policy, for example, cannot be easily operationalized because employee interactions that might give rise to sexual harassment occur continuously. There is no point in an SOP that states, “Step 1.  Say hello to your co-worker at lunch.  Step 2.  Refrain from harassing your co-worker.”  Instead, a policy gives guidance for behavior over a range of situations.

Most GCP processes, however, can and should be operationalized. It’s difficult to see what value a record retention policy adds when there is a clear record retention SOP. It’s hard to imagine that staff members following a computer system validation SOP would be confused by the lack of a 21 CFR Part 11 policy.

In GCP, we can save ourselves time and effort by foregoing policies altogether; including simple high-level policy statements in our SOPs; or putting all our policy statements in a quality manual.