Вы находитесь на странице: 1из 36

Dr Jennifer Methfessel

Senior Consultant
ABB Life Sciences
Advanced Computer Effective GAP analysis
Systems Validation as a Tool for compliance
17-18th Nov 2003 How to fit GAP analysis into
London,UK compliance initiatives
© ABB Eutech Process Solutions
The aim of the talk

 To explore how gap analysis can be used to improve

 Review the gap analysis process and how to make it effective

 Think about how to choose the most appropriate method of

gap analysis in a given situation

 CSV Gap Analysis: Case Study

 Gap Analysis in IT and for 21 CFR Part 11 Assessments

© ABB Eutech Process Solutions - 2

 What are practical and impractical corrective actions

 Using GAP Analysis to mitigate Enforcement Actions

Effective GAP Analysis Techniques

 Why do a gap analysis?

 Seek reassurance that there are no serious gaps
 More information is required about suspected
or known gaps
 Inspection readiness
 Evidence of gaps is required to obtain resources/funding
 You need to know
© ABB Eutech Process Solutions - 3

The “shape” The size of

of the gap the gap
Elements of a Gap Analysis

Gap New Law or

Assessment Guideline

Gap Gap
Communication Management
© ABB Eutech Process Solutions - 4
Stages in the Gap Analysis process

 Assessment
 Provide information about the gap
 Communication
 Evaluate different solutions and decide between them
 Carry out further investigation to arrive at a decision
 Involve all relevant competencies in decision making
 Estimate resources, timing and costs
 Management
© ABB Eutech Process Solutions - 5

 Identify knowledge and competencies required

 Implement solution
Gap Analysis Preparation

 Gap = difference between actual state and desired state

Know your desired state!

Desired Examples:
FDA/EU Regulations
National regulations
HIPPA, Data Protection
© ABB Eutech Process Solutions - 6

Company procedures
Mandatory training requirements
gap gap
Industry best practice
Assessment Techniques: The Checklist

 Checklist describes desired state

 Examples:
 Review of set of SOPs for an IT department
 Password and security requirements for computer systems
 Business Readiness Audit
 21 CFR Part 11 compliance
 Useful when….
 Requirements are very clearly defined
 Gap Analysis will be repeated frequently
© ABB Eutech Process Solutions - 7

 Individuals don’t have high degree of subject knowledge

 Narrow scope
 Goal is Assessment only
Assessment Techniques: The Audit

 Auditor prepares a script which is a prompt for the areas

to be covered
 Script typically includes examples of expected outcome
 Examples:
 Supplier Audit
 Compliance Audit
 Internal Audit
 Validation Package Audit
 Useful when….
© ABB Eutech Process Solutions - 8

 Baseline of compliance status is required

 Scope is broad
 Goal is Assessment and Communication
Assessment Techniques: The Meeting

 Chairman prepares script of areas to be covered and

identifies required participants
 Examples:
 Assessment of change of legislation which impacts a specific
system (e.g. Data Protection, Clinical Trials Supply)
 21 CFR Part 11 Assessment
 Reaction to Regulatory Warning Letters or Inspection Findings
 Reaction to quality problems
 Used when………
© ABB Eutech Process Solutions - 9

 Narrow scope
 Multi-disciplinary input required
 Discussion required
 Goal is Assessment and Communication
How will you communicate the gap?
 Share a written summary of findings
 Give a presentation of findings
 To the stakeholders
 To management
 Good practice suggests…
 Include recommendations for gap management
 Facilitate meetings with stakeholders to discuss options
 Evaluate which options are best for the business
© ABB Eutech Process Solutions - 10

 Evaluate risks associated with each option

Manage the gap

 What are the priorities?

 What is the urgency?
 Who will pay?
 Who has the knowledge to implement the solution?
 Get ownership for actions and commitment to deadlines
 Monitor actions
 Record closure
© ABB Eutech Process Solutions - 11
When is a Gap Analysis effective?

Gap is closed at appropriate cost in an

appropriate time frame with the buy in of all
involved parties
© ABB Eutech Process Solutions - 12
The pitfalls

 Only find the gaps you are looking for

 Failure to analyse the root cause behind the gaps

 Assess the gaps but don’t communicate or manage the

© ABB Eutech Process Solutions - 13

 Failure to monitor actions and document closure

CSV Gap Analysis: Case Study

 The IT Director of a Development Department asked for a

review of the compliance status of Computer Systems in
the department
 Scope included three sites (two US, one European)
 Gap Analysis against
 FDA requirements for GLP and GMP
 US Title 21 CFR Part 11
 OECD Guideline 10 / AGIT
© ABB Eutech Process Solutions - 14

 Industry Best Practice

(GAMP and ABB Eutech cross-industry experience)
ABB Eutech proposed gap analysis method

Site 1 SOP Site 1

Review Audit

Review Plan Site 2 SOP Site 2 Summing

Policies Review Audit Up

Site 3 SOP Site 3

Review Audit
© ABB Eutech Process Solutions - 15


 One report for each site which

 compares current practices against the defined criteria
 identifies existing compliance vulnerabilities in the systems
 prioritises the compliance issues that these gaps present to the
 recommends how to solve the compliance issues identified
 One summary executive report
© ABB Eutech Process Solutions - 16

 One presentation of findings to management

Participants in the gap analysis

 Information Management Leadership

 Local Quality Assurance Manager
 Selected Systems Owners
 Network Design and Security Management
 Desktop Systems Management
 Server Systems Management
 Help Desk / Systems Support Management
© ABB Eutech Process Solutions - 17
Project manpower, costs and timing

 Auditor style gap assessment

 6 days CSV policy and guidance review, audit planning
and criteria definition
 1 day Planning conference with audit team and client
 5 day audit and SOP review on each site
 2 days reporting per site
 1 day exec summary
© ABB Eutech Process Solutions - 18

 Cost = USD 40K plus travel expenses

 Timing: Summary report 6 weeks after start
Desired state: Compliance criteria definition
Req Required By (External Guidance)
Ref Description OEC Corporate
GMP GLP 1 10 CSV MP Guidelines

M01 Current Organogram exists, and 211.22 58.35 11.100a 1D CSV5 7.5.1
indicates independence of QA Function

M02 Written Validation Policy approved by 11.10a 1A CSV4 CSV policy

senior management. 11.10j

M03 Written record retention policy / 58.195 11.10c


M04 Continuous Improvement/ self 58.35d 11.10 O1

inspection processes are in place
© ABB Eutech Process Solutions - 19

M05 Records Ownership (details of who is 58.190 11.10c O6

responsible for the retained records) c

M06 Evidence that QM practices are 7A CSV5

conducted to a recognized quality
Actual state: Findings from reviews and audits

No Reference Compliance Finding
[F01] M02 Department X has developed an excellent policy statement and supporting set of corporate
CSV Guidelines. In many ways these represent current best practice. For example:
· they are clear and easy to understand; they use a simple framework to cover a broad
range of application;
· they address all the major computer systems compliance aspects of current drug
development and manufacturing legislation;
· they have a strong core of 'risk management' reflecting both GAMP and the FDA's August
2002 announcement on the future of the GMPs.

[F02] M02 The Corporate CSV Policy and Guidelines have a fairly general definition of their scope of
application. In practice, the definition of a 'computerised system' is a little more vague, and it is
possible that inconsistencies in the application of CSV Policy across Department X may arise.

[F03] M07 During the 2001 redraft, the process for review, roll-out and staff training for the corporate CSV
Policy, Guidelines and Example SOPs was inconsistent across the three Department X sites,
resulting in inconsistent awareness of and commitment to these corporate practices.
© ABB Eutech Process Solutions - 20

[F04] M01 While the Electronic Records and Electronic Signatures guideline provides a good overview of
the responsibilities required to comply with 21CFR11, the identified responsibilities are not
complete. For example:
 Nobody identified as responsible for monitoring security breaches (Open systems)
Summary of Gaps across three sites

Site 1 Site 2 Site 3

Management Gap 1
© ABB Eutech Process Solutions - 21


Gap 1: Compliance vulnerabilities in policies and

guidelines due to ambiguities, omissions with respect
to 21 CFR Part 11 compliance, and uncontrolled roll
out processes
Summary Outcome

Site 1 Site 2 Site 3

Management Gap 1 Gap 2

Gap 3
© ABB Eutech Process Solutions - 22


Gap 2: Weaknesses with SLA agreements internally

and externally
Gap 3: Inconsistencies and misunderstandings in
complying with 21 CFR Part 11 policy
Summary Outcome

Site 1 Site 2 Site 3

Management Gap 1 Gap 2

Gap 3
© ABB Eutech Process Solutions - 23

Gap 4

Gap 4: Document management system used for

submissions to FDA is not compliant with 21 CFR Part 11
Summary Outcome

Site 1 Site 2 Site 3

Management Gap 1 Gap 2

Gap 3
Gap 5
© ABB Eutech Process Solutions - 24

Gap 4

Gap 5: No evidence of written system specifications

Communication: Encourage positive attitude

 Summary of strengths across all three sites

 Opportunity for learning from best practice within department
 Recommendations on how to mitigate gaps

GAP Communication
© ABB Eutech Process Solutions - 25

Recognise strengths
Present GAPS in spirit of
constructive criticism
GAP Analysis in the IT Environment

Dedicated Satellite to
Central IT Outsourced
Stand-alone Central IT

IT Support Services

Simple Complex

Benefit gained from a GAP Analysis increases

with complexity
© ABB Eutech Process Solutions - 26
21 CFR Part 11 Gap Analysis

 The Checklist approach


 Used widely throughout  Variable quality outcome

the industry
 Inconsistent interpretation
 Filled in by one or two
people  Detail needs to be
followed up later
 Only basic knowledge of
21 CFR Part 11 required  Document non-
compliances without
 Simple
© ABB Eutech Process Solutions - 27

 Quick
 Overwhelmed by actions
 Investigation of solutions
postponed  No business assessment
21 CFR Part 11 Gap Analysis

 The Meeting approach

 Used by some companies  Requires training of
 High quality output through specialists to act as
participation of variety of chairperson/ interpreter
competent individuals  Resource intensive
 Consistent interpretation
 Requires more planning
when led by specialists
and co-ordination
 Immediate and effective
communication of gap  Progress appears to be
© ABB Eutech Process Solutions - 28

 Immediate assignment of
 Immediate cost/benefit
Good practice for Gap Management
 Appoint person responsible for monitoring progress and
documenting closure of actions
 Assign responsibility for finding a solution an appropriately qualified
 Ensure all stakeholders are involved
 Agree deadlines
 Consider a mix of short term and long term solutions
 Use risk assessment and cost benefit analysis to make decisions
 Make sure you take timely steps to secure finance
 Provision from current budget
© ABB Eutech Process Solutions - 29

 CAPEX spend
 Special funding
Impractical corrective actions

 The solution would financially put the company out of business

 Ask a software supplier with only 5% of their sales volume in the
Pharma sector to redesign their product immediately and at their
own cost
 As a telecom service provider with 30,000 employees to train all its
telecom engineers in GMP compliance
 Set deadlines for actions when there is
 No budget
 No resource
© ABB Eutech Process Solutions - 30

 No buy-in from system owners

 No buy-in from senior management
Mitigating Enforcement Actions

 Before an inspection
 Assess gaps and formulate a plan for remediation
 If requested present the plan during the inspection
 Ensure actions are completed
 Ensure time lines are met

Avoid a FDA-483 Observation

or even worse!
© ABB Eutech Process Solutions - 31
Mitigating Enforcement Actions

 If you receive a
 FDA-483 Observation
 Warning Letter

 Use GAP analysis

 Identify the true extent of the gap or gaps
 Identify the underlying root cause
 Plan for remediation
© ABB Eutech Process Solutions - 32

 Report planned remediation to FDA

 Report closure of remediation programme to FDA
Example: FDA-483 reports two missing SOP

 Use a GAP analysis to identify the true compliance GAP

Backup &
Restore Hardware
System maintenance
Purchase Initial upgrades
Contingency system
© ABB Eutech Process Solutions - 33

Authorisation Change IT Team
of users control
of users
Application Software
Specialist configuration
My personal opinion

GAP Analysis is a very effective tool for developing

and maintaining compliance

– are you too timid to use it?

© ABB Eutech Process Solutions - 34
Any queries on this presentation?

Please contact……
Dr. Jennifer Methfessel
Belasis Hall Technology Park
Cleveland, TS23 4YS
Tel: +44 (0)1642 372321
Fax: +44 (0)1642 372166
© ABB Eutech Process Solutions - 35

Mob: +44 (0)7715 759197

© ABB Eutech Process Solutions - 36