21 cfr part 111
TRANSCRIPT
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns
Effective GAP analysis as a Tool for complianceHow to fit GAP analysis into compliance initiatives
Dr Jennifer MethfesselSenior Consultant
ABB Life Sciences
Advanced Computer Systems Validation17-18th Nov 2003
London,UK
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
2
The aim of the talk
To explore how gap analysis can be used to improve compliance
Review the gap analysis process and how to make it effective
Think about how to choose the most appropriate method of gap analysis in a given situation
CSV Gap Analysis: Case Study
Gap Analysis in IT and for 21 CFR Part 11 Assessments
What are practical and impractical corrective actions
Using GAP Analysis to mitigate Enforcement Actions
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
3
Effective GAP Analysis Techniques
Why do a gap analysis? Seek reassurance that there are no serious gaps More information is required about suspected
or known gaps Inspection readiness Evidence of gaps is required to obtain resources/funding You need to know
The “shape” of the gap
The size of the gap
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
4
Elements of a Gap Analysis
Gap Assessment
Gap Management
Gap Communication
New Law or Guideline
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
5
Stages in the Gap Analysis process
Assessment Provide information about the gap
Communication Evaluate different solutions and decide between them Carry out further investigation to arrive at a decision Involve all relevant competencies in decision making Estimate resources, timing and costs
Management Identify knowledge and competencies required Implement solution
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
6
Gap Analysis Preparation
Gap = difference between actual state and desired state
gap gap
Actual
gapDesired
Know your desired state!Examples:
URS
FDA/EU Regulations
National regulations
HIPPA, Data Protection
Company procedures
Mandatory training requirements
Industry best practice (e.g.GAMP, IEEE, ASTM)
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
7
Assessment Techniques: The Checklist
Checklist describes desired state Examples:
Review of set of SOPs for an IT department Password and security requirements for computer systems Business Readiness Audit 21 CFR Part 11 compliance
Useful when…. Requirements are very clearly defined Gap Analysis will be repeated frequently Individuals don’t have high degree of subject knowledge Narrow scope Goal is Assessment only
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
8
Assessment Techniques: The Audit
Auditor prepares a script which is a prompt for the areas to be covered
Script typically includes examples of expected outcome Examples:
Supplier Audit Compliance Audit Internal Audit Validation Package Audit
Useful when…. Baseline of compliance status is required Scope is broad Goal is Assessment and Communication
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
9
Assessment Techniques: The Meeting
Chairman prepares script of areas to be covered and identifies required participants
Examples: Assessment of change of legislation which impacts a specific
system (e.g. Data Protection, Clinical Trials Supply) 21 CFR Part 11 Assessment Reaction to Regulatory Warning Letters or Inspection Findings Reaction to quality problems
Used when……… Narrow scope Multi-disciplinary input required Discussion required Goal is Assessment and Communication
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
10
How will you communicate the gap? Share a written summary of findings Give a presentation of findings
To the stakeholders To management
Good practice suggests… Include recommendations for gap management Facilitate meetings with stakeholders to discuss options Evaluate which options are best for the business Evaluate risks associated with each option
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
11
Manage the gap
What are the priorities? What is the urgency? Who will pay? Who has the knowledge to implement the solution? Get ownership for actions and commitment to deadlines Monitor actions Record closure
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
12
When is a Gap Analysis effective?
Gap is closed at appropriate cost in an appropriate time frame with the buy in of all
involved parties
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
13
The pitfalls
Only find the gaps you are looking for
Failure to analyse the root cause behind the gaps
Assess the gaps but don’t communicate or manage the gaps
Failure to monitor actions and document closure
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
14
CSV Gap Analysis: Case Study
The IT Director of a Development Department asked for a review of the compliance status of Computer Systems in the department
Scope included three sites (two US, one European) Gap Analysis against
FDA requirements for GLP and GMP US Title 21 CFR Part 11 OECD Guideline 10 / AGIT Industry Best Practice
(GAMP and ABB Eutech cross-industry experience)
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
15
ABB Eutech proposed gap analysis method
Site 1 SOP Review
Site 1 Audit
Site 2 SOP Review
Site 2 Audit
Site 3 SOP Review
Site 3 Audit
Summing Up
PlanReview Policies
Coaching
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
16
Deliverables
One report for each site which compares current practices against the defined criteria identifies existing compliance vulnerabilities in the systems
reviewed prioritises the compliance issues that these gaps present to the
business recommends how to solve the compliance issues identified
One summary executive report One presentation of findings to management
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
17
Participants in the gap analysis
Information Management Leadership Local Quality Assurance Manager Selected Systems Owners Network Design and Security Management Desktop Systems Management Server Systems Management Help Desk / Systems Support Management
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
18
Project manpower, costs and timing
Auditor style gap assessment 6 days CSV policy and guidance review, audit planning
and criteria definition 1 day Planning conference with audit team and client
(telecon) 5 day audit and SOP review on each site 2 days reporting per site 1 day exec summary Cost = USD 40K plus travel expenses Timing: Summary report 6 weeks after start
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
19
Desired state: Compliance criteria definition
Req Ref Description
Required By (External Guidance) Addressed by
Corporate CSV
GuidelinesGMP GLP21CFR1
1
OECD10
AGIT CSV
GAMP
Management
M01 Current Organogram exists, and indicates independence of QA Function
211.22 58.35 11.100a 1D CSV5 7.5.1
M02 Written Validation Policy approved by senior management.
11.10a11.10j
1A CSV4 CSV policy
M03 Written record retention policy / interpretation
58.195 11.10c
M04 Continuous Improvement/ self inspection processes are in place
58.35d 11.10 O1
M05 Records Ownership (details of who is responsible for the retained records)
58.190c
11.10c O6
M06 Evidence that QM practices are conducted to a recognized quality standard
7A CSV5
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
20
Actual state: Findings from reviews and audits
No
Compliance Requirement
Reference Compliance Finding
[F01] M02 Department X has developed an excellent policy statement and supporting set of corporate CSV Guidelines. In many ways these represent current best practice. For example:· they are clear and easy to understand; they use a simple framework to cover a broad range of application;· they address all the major computer systems compliance aspects of current drug development and manufacturing legislation;· they have a strong core of 'risk management' reflecting both GAMP and the FDA's August 2002 announcement on the future of the GMPs.
[F02] M02 The Corporate CSV Policy and Guidelines have a fairly general definition of their scope of application. In practice, the definition of a 'computerised system' is a little more vague, and it is possible that inconsistencies in the application of CSV Policy across Department X may arise.
[F03] M07 During the 2001 redraft, the process for review, roll-out and staff training for the corporate CSV Policy, Guidelines and Example SOPs was inconsistent across the three Department X sites, resulting in inconsistent awareness of and commitment to these corporate practices.
[F04] M01 While the Electronic Records and Electronic Signatures guideline provides a good overview of the responsibilities required to comply with 21CFR11, the identified responsibilities are not complete. For example: Nobody identified as responsible for monitoring security breaches (Open systems)
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
21
Summary of Gaps across three sites
Site 1 Site 2 Site 3
Management
CompliancePlanningDevelopment LifecycleOperational LifecycleTechnical Controls
Gap 1
Gap 1: Compliance vulnerabilities in policies and guidelines due to ambiguities, omissions with respect to 21 CFR Part 11 compliance, and uncontrolled roll out processes
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
22
Summary Outcome
Site 1 Site 2 Site 3
Management
CompliancePlanningDevelopment LifecycleOperational LifecycleTechnical Controls
Gap 1
Gap 2: Weaknesses with SLA agreements internally and externally
Gap 3: Inconsistencies and misunderstandings in complying with 21 CFR Part 11 policy
Gap 2
Gap 3
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
23
Summary Outcome
Site 1 Site 2 Site 3
Management
CompliancePlanningDevelopment LifecycleOperational LifecycleTechnical Controls
Gap 1
Gap 4: Document management system used for submissions to FDA is not compliant with 21 CFR Part 11
Gap 2
Gap 3
Gap 4
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
24
Summary Outcome
Site 1 Site 2 Site 3
Management
CompliancePlanningDevelopment LifecycleOperational LifecycleTechnical Controls
Gap 1
Gap 5: No evidence of written system specifications
Gap 2
Gap 3
Gap 4
Gap 5
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
25
Communication: Encourage positive attitude
Summary of strengths across all three sites Opportunity for learning from best practice within department
Recommendations on how to mitigate gaps
GAP Communication
Recognise strengthsPresent GAPS in spirit of constructive criticism
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
26
GAP Analysis in the IT Environment
Dedicated Stand-alone
Satellite to Central IT Central IT Outsourced
IT Support Services
Simple Complex
Benefit gained from a GAP Analysis increases with complexity
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
27
21 CFR Part 11 Gap Analysis
The Checklist approach
Used widely throughout the industry
Filled in by one or two people
Only basic knowledge of 21 CFR Part 11 required
Simple Quick Investigation of solutions
postponed
Variable quality outcome Inconsistent interpretation Detail needs to be
followed up later Document non-
compliances without solutions
Overwhelmed by actions No business assessment
FOR AGAINST
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
28
21 CFR Part 11 Gap Analysis
The Meeting approach
Used by some companies High quality output through
participation of variety of competent individuals
Consistent interpretation when led by specialists
Immediate and effective communication of gap
Immediate assignment of actions
Immediate cost/benefit evaluation
AGAINSTFOR Requires training of
specialists to act as chairperson/ interpreter
Resource intensive Requires more planning
and co-ordination Progress appears to be
slower
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
29
Good practice for Gap Management
Appoint person responsible for monitoring progress and documenting closure of actions
Assign responsibility for finding a solution an appropriately qualified person
Ensure all stakeholders are involved Agree deadlines Consider a mix of short term and long term solutions Use risk assessment and cost benefit analysis to make decisions Make sure you take timely steps to secure finance
Provision from current budget CAPEX spend Special funding
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
30
Impractical corrective actions
The solution would financially put the company out of business Ask a software supplier with only 5% of their sales volume in the
Pharma sector to redesign their product immediately and at their own cost
As a telecom service provider with 30,000 employees to train all its telecom engineers in GMP compliance
Set deadlines for actions when there is No budget No resource No buy-in from system owners No buy-in from senior management
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
31
Mitigating Enforcement Actions
Before an inspection Assess gaps and formulate a plan for remediation If requested present the plan during the inspection Ensure actions are completed Ensure time lines are met
Avoid a FDA-483 Observation or even worse!
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
32
Mitigating Enforcement Actions
If you receive a FDA-483 Observation Warning Letter
Use GAP analysis Identify the true extent of the gap or gaps Identify the underlying root cause Plan for remediation Report planned remediation to FDA Report closure of remediation programme to FDA
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
33
Example: FDA-483 reports two missing SOP
Use a GAP analysis to identify the true compliance GAP
Change control
Backup & Restore
Software upgrades
Hardware platform
Administration of users
Hardware maintenance
Operating system
Software configuration
Purchase
Use
Authorisation of users
Initial Validation
Contingency Planning
System definition
Revalidation
IT Team
Application Specialist
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
34
My personal opinion
GAP Analysis is a very effective tool for developing and maintaining compliance
– are you too timid to use it?
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
35
Any queries on this presentation?
Dr. Jennifer MethfesselABB LtdBelasis Hall Technology ParkBillinghamCleveland, TS23 4YSUK
Tel: +44 (0)1642 372321
Fax: +44 (0)1642 372166
Mob: +44 (0)7715 759197
e-mail: [email protected]
Please contact……
© A
BB
Eut
ech
Pro
cess
Sol
utio
ns -
36