01Designing the Structure ── Protect With a System, Not People
First, let us confirm the starting point. Why discuss "structure" at all? The answer is simple ── because people change, forget, and tire. Even one excellent reviewer, once transferred, means review quality drops. In a busy month, corners get cut; as work grows routine, discipline slackens. So rather than the strength of any particular person, you build first a system that delivers a consistent quality no matter who runs it. That is the purpose of designing a structure.
For a pharmaceutical company, this system is not something to decide freely. The Guidelines (=the Guidelines on Sales Information Provision Activities for Prescription Drugs, a notice from the Director-General of the Pharmaceutical Safety and Environmental Health Bureau, MHLW, 2018) require a skeleton of internal structure. Divided into four points, it looks like this.
Supervisory Department
The department that watches over the appropriateness of materials and information-provision activities. Keep it independent from the sales and promotion departments. If the people who make materials can pass their own work, standards go soft.
Review & Oversight Committee
A deliberative body that evaluates the appropriateness of materials and the validity of activities through multiple sets of eyes. Including outside experts is regarded as desirable. Do not leave it to one person's judgment.
Written Procedures
Put in writing how review proceeds, the criteria for decisions, and how records are kept. The foundation that lets the same procedure run even when people change.
Education & Training
Both reviewers and the people who create materials relearn the regulations and internal rules. A continuous practice that aligns the yardstick of judgment across the whole organization.
The key point here is that bringing AI into review does not change these four skeletal elements. AI is a tool, not the structure itself. "Judgments produced by AI" are added to what the supervisory department watches over; "how to use AI and how to verify it" is written into the procedures; "knowing the limits of AI" is added to education ── what changes is the content, not the skeleton. Even when a new tool arrives, the framework to be protected stays the same. Hold on to that.
02Where Responsibility Sits ── What Cannot Be Placed on AI
In building a structure, the first thing to nail down is where responsibility sits. When something goes wrong, who answers for it? Leave this vague, and a convenient tool turns straight into "a system where no one bears responsibility."
The Guidelines place the subjects of responsibility squarely on people and organizations. First, the duty of management. The responsibility to build, supervise, and allocate the necessary resources for a structure of appropriate information provision lies with management, not the front line. On top of that, there is a responsible person who reviews materials and decides pass or fail, and a supervisory department that watches over activities as a whole. Responsibility forms a hierarchy, and at the end it reaches management. This configuration does not shift a single millimeter when AI is introduced.
Here let us draw one line that must not be blurred. What an MR (=Medical Representative, the person who provides prescription-drug information to healthcare professionals) may handle stops at information provision. Transactional and logistical terms ── price, stock, delivery, ordering, price negotiation ── are not the MR's role. Those belong to the domain of the pharmaceutical wholesaler and the hospital's purchasing function. When you have AI support materials and information-provision activities, do not let it cross this boundary of roles either ── do not let a tool meant to check the appropriateness of information provision drift into judging transactional terms. The division of roles in the structure stands on top of this line.
03Governance ── Guard in Double and Triple With Three Lines
Once responsibility is settled, the next task is to shape it into a form that resists collapse. What helps here is the Three Lines Model (=gloss: an approach that splits the defensive role into three layers), widely used in the field of risk management. It grew up in the world of finance and internal audit, but it applies directly to a review structure.
The idea is this. If you rely on a single wall for defense, once it is breached, it is over. So you layer three lines with different roles, and when one is slipped past, the next catches it. Applied to review, it organizes as follows.
| Line of Defense | Who does what (relation to AI) |
|---|---|
| 1st Line: the front line | The people who create materials and those who perform first-pass review. They discipline themselves within daily work. This is the layer that first uses AI-support tools ── but the final confirmation of a judgment is done by a person |
| 2nd Line: oversight & compliance | The supervisory department and the review & oversight committee. Independent of the 1st line, they watch whether review is running to standard. They also monitor whether AI tools are used as the procedure requires and whether model performance is being maintained |
| 3rd Line: internal audit | Audit that is independent of both the 1st and 2nd lines. It confirms, based on records, whether the structure itself is functioning. It inspects the whole of review including AI, in a form that can be verified after the fact |
What works most in these three layers is independence. If the person who makes a material reviews it, and that same person also audits it ── then wherever softness creeps in, no one notices. Because roles are split and made independent of one another, when one line slackens another can catch it. The danger of "two fences opening at the same spot" touched on in Vol. 6 is prevented precisely by splitting the lines. Introduce AI, and this independence grows heavier, not lighter. The more conveniently the 1st line uses AI, the greater the role of the 2nd and 3rd lines in watching whether "that AI is being swallowed whole."
04People and Roles ── Put on Paper Who Carries What
You can draw the three lines as a picture, but nothing runs until you actually assign people. What works here is the labor of putting each role on paper, one by one. Who judges, who executes, who is consulted, who is reported to ── leave this vague while calling yourself a structure, and in busy times things leak through the gap of "that's not my job."
Reviewer (1st Line)
First-pass review of materials, surfacing deviations. Receives the output of AI-support tools and verifies with human eyes, including context and figures and tables. Records the reasons for each judgment.
Supervisory Department (2nd Line)
Independent of sales and promotion, it monitors whether review meets standard. It halts deviations and reports trends to management. Deviations in how AI is used are also caught here.
Review & Oversight Committee
Evaluates the validity of difficult materials and activities through multiple eyes and an outside perspective. As a deliberative body it takes on the subtle lines that no single person can draw with confidence.
Information Systems & Maintenance
The behind-the-scenes work that maintains the AI tools, dictionaries, and models. When approval information changes, it updates and re-measures performance. It makes no judgments but holds responsibility for the soundness of the tools.
The fourth, Information Systems & Maintenance, is a role that gains weight only once AI is introduced. As we saw in Vol. 6, AI tools require the dictionaries and models to be updated every time approval information changes. Leave them alone, and review keeps running on an old yardstick, and misses grow. So you build "the person who keeps the tools" into the structure, placed apart from the person who judges in review. Here again the separation of roles works ── do not mix the person who builds the tools, the person who uses the tools to judge, and the person who audits the whole.
There is one principle for assigning roles. For each job, always name one person who bears responsibility. Hand it wholesale to a committee or a department, and everyone thinks "someone else will do it," so no one does. Deciding by deliberation and placing one responsible person do not contradict each other. Deliberation decides; one person bears responsibility by name at the end ── make these two coexist.
05Risk Management ── Count the Ways It Can Collapse, in Advance
You must not build a structure only on the premise that things go well. How it can collapse should be counted in advance, with a countermeasure prepared for each. That is risk management. Here are the representative ways an AI-equipped review structure can collapse.
- Misses ── a problematic material slips past both AI and people and reaches the world. If a material touching on exaggeration (Article 66) or advertising of unapproved drugs (Article 68) is released, it leads straight to a regulatory violation
- Overreliance on AI ── believing the tool's "pass" without verifying, and the reviewer's eye dulls. Convenience itself becomes a breeding ground for misses (the automation bias of Vol. 6)
- Model degradation ── approval information has changed, yet the dictionaries and models are not updated, so review keeps running on an old yardstick. Accuracy drops without anyone noticing
- Leakage of confidential information ── sending unpublished materials to an external cloud, where the information is stored or used for training. Confidentiality is lost in exchange for convenience
- Slipping back into person-dependence ── procedures become a hollow formality, reverting to a state of "only that person understands it." Review that was supposedly standardized in Vol. 5 again depends on individual craft
The countermeasure common to all of these is the two wheels of prevention and correction. Prevention is acting before it happens ── independent oversight, periodic re-measurement of models, binding the handling of confidential information by contract, aligning the line of sight through education. Correction is rebuilding after it happens ── tracing the review records and audit trail covered in Vol. 7, pinning down why it leaked, and fixing the procedure or the tool (=gloss: CAPA, Corrective and Preventive Action). Keeping these two turning is the substance of a structure that does not collapse.
06Audit ── Confirm From Outside That the Structure Truly Runs
You built the structure, assigned the roles, and dealt with the risks. That is not the end. What is finally needed is audit ── a mechanism to confirm, after the fact, that the structure you built actually runs as it was drawn. The 3rd line of internal audit carries this.
The heart of audit is to confirm based on records. Not a verbal explanation that "we are doing it properly," but tracing the review records and audit trail preserved in Vol. 7 to see whether "when, by whom, on what grounds, and how it was judged" can be reproduced. Without records, audit cannot stand. So structure design and records are an inseparable pair.
| What audit confirms | The point added when AI enters |
|---|---|
| Is review done per procedure | Is there a record that the AI tool was used per the written procedure and its output was confirmed by a person |
| Is independence maintained | Are the maker, user, maintainer, and auditor separated, and is the 2nd line not overly dependent on AI's judgments |
| Was correction applied to deviations | When an AI miss or model degradation was found, is there a record of tracing the cause and fixing the tool and procedure (CAPA) |
| Does the structure match the latest regulations | Are the dictionaries, models, and procedures updated in step with revisions to approval information and standards |
Introduce AI, and the tool itself is added to what audit covers. "When, on which answer set, with what performance was that tool measured?" "Is there a history of updates?" ── the verification records described in Vol. 6 become, as they are, the material for audit. Keep AI's judgments, like human judgments, in a form that can be verified after the fact. If this is done, then when there is a regulatory investigation or an internal finding, you can explain with records: "Review in this period was supported by this structure and by a tool of this level of capability." A structure that withstands audit is, in the end, a structure that can be explained.
07Connection to Other Chapters ── The Structure Is the Vessel That Binds Every Installment
The structure and governance seen this time are the vessel that binds nearly every installment of this series. Individual tools and procedures work only once placed inside a structure. Read together, the dots become a line.
- AI Material Review Vol. 5 ── Standardizing Review and AI ── the structure of this installment is the vessel that lets the organization keep holding the standardized common language. Written procedures and education are the mechanism that keeps the standard from weathering away
- AI Material Review Vol. 6 ── The Real Ability and Limits of Support Tools ── the distance that neither over- nor under-trusts the tool is fixed not as individual mindfulness but as the division of roles in the structure. Separating the maintainer from the judge is what this installment does
- AI Material Review Vol. 7 ── Review Records, Audit Trails, and CAPA ── what the audit and risk management of this installment use are the records preserved in Vol. 7. No records, no audit. Structure and records stand as a pair
- AI Material Review Vol. 4 ── Rule Design ── what the Information Systems & Maintenance role protects are the dictionaries and rules built in Vol. 4. The contents of the tool are the very rules that were designed
Good tools and good procedures do not last without a structure to support them. People change, forget, and tire. That is exactly why you build first, rather than the strength of any particular person, a system that delivers a consistent quality no matter who runs it ── this is the core of designing a structure. The four required by the Guidelines ── supervisory department, review & oversight committee, written procedures, education ── are a skeleton that does not change even when AI is introduced. Only the content changes. A new tool works only once placed inside this vessel.
On top of that, what must never be let go of is where responsibility sits. However clever AI becomes, the decision to release a material into the world, and responsibility for the result, can be borne only by people and organizations. "Because the AI passed it" does not hold. Guard in double and triple with three lines, put the roles on paper, count the ways it can collapse in advance, and confirm after the fact based on records. As long as you do not let go of this stance, AI makes review faster and more reliable. Next time, building on everything so far, we will look ahead ── how people and AI will divide their roles, and draw the future picture of review.
- Protect review with a system, not individual goodwill. The skeleton required by the Guidelines is four things: supervisory department (independent from the makers), review & oversight committee (deliberation with outside eyes), written procedures, and education. Even with AI introduced, this skeleton does not change. What changes is only the content ── how AI is used and verified.
- Responsibility, both under the regulations and in ethics, lies only with people and organizations. Management holds the duty to build the structure, and an AI "pass" is not an indulgence but a starting point for a person to verify. Defense is layered with the Three Lines Model (1st line = front line, 2nd line = oversight & compliance, 3rd line = internal audit), keeping independence. The line that an MR may handle only information provision ── price, stock, delivery, and other transactional terms are out of scope ── must not be crossed by the tool either.
- Put each role on paper, and name one responsible person for each job. Count the ways it can collapse (misses, overreliance, model degradation, leakage of confidential information, person-dependence) in advance, and turn the two wheels of prevention and correction (CAPA). Audit is the practice of confirming, based on records, that the structure actually runs, and AI's judgments too should be kept in a form that can be verified after the fact. A structure that withstands audit is a structure that can be explained with records.
- MHLW, Director-General of the Pharmaceutical Safety and Environmental Health Bureau. Guidelines on Sales Information Provision Activities for Prescription Drugs. Yakusei-hatsu 0925 No. 1, September 25, 2018 (applied April 1, 2019). (Primary source defining the internal structure ── the duty of management, establishment of the supervisory department and review & oversight committee, written procedures, education, and monitoring.)
- MHLW. Act on Securing Quality, Efficacy and Safety of Pharmaceuticals, Medical Devices, etc. (Pharmaceuticals and Medical Devices Act), Articles 66, 68, and 68-2. (The respective provisions on prohibition of exaggerated advertising, prohibition of advertising unapproved drugs, and appropriateness of information provision in sales information provision activities.)
- MHLW, Director of the Compliance and Narcotics Division, Pharmaceutical Safety and Environmental Health Bureau. On the Revision of the Standards for Fair Advertising of Drugs. Yakusei-kan-maku-hatsu 0929 No. 5, September 29, 2017. (A notice translating the Act's advertising regulation into practical standards. Issued by the Director of the Compliance and Narcotics Division.)
- MHLW. Ministerial Ordinance on Standards for Post-Marketing Safety Management of Drugs, Quasi-Drugs, Cosmetics, Medical Devices and Regenerative Medicine Products (GVP Ordinance). MHLW Ordinance No. 135, 2004. (Ordinance defining the post-marketing safety management structure and the duties of the responsible person. A framework for designing a quality-assurance structure.)
- The Institute of Internal Auditors. The IIA's Three Lines Model. 2020. (The original source of the Three Lines Model that splits the defensive role into 1st, 2nd, and 3rd lines. The basis of governance and independence.)
- International Organization for Standardization. ISO 9001:2015 Quality Management Systems ── Requirements. ISO, 2015. (The international standard for a quality-assurance structure, including clarification of responsibility and authority, PDCA, and continual improvement.)