Dr Jennifer Methfessel Senior Consultant ABB Life Sciences

Advanced Computer Systems Validation 17-18th Nov 2003 London,UK

Effective GAP analysis as a Tool for compliance

How to fit GAP analysis into compliance initiatives

ABB Eutech Process Solutions

The aim of the talk

To explore how gap analysis can be used to improve compliance

Review the gap analysis process and how to make it effective Think about how to choose the most appropriate method of gap analysis in a given situation CSV Gap Analysis: Case Study Gap Analysis in IT and for 21 CFR Part 11 Assessments What are practical and impractical corrective actions

ABB Eutech Process Solutions - 2

Using GAP Analysis to mitigate Enforcement Actions

Effective GAP Analysis Techniques

Why do a gap analysis? Seek reassurance that there are no serious gaps

ABB Eutech Process Solutions - 3

More information is required about suspected or known gaps

Inspection readiness

Evidence of gaps is required to obtain resources/funding

You need to know

The shape of the gap

The size of the gap

Elements of a Gap Analysis

Gap Assessment

New Law or Guideline

ABB Eutech Process Solutions - 4

Gap Communication

Gap Management

Stages in the Gap Analysis process

Assessment

Provide information about the gap

Communication

Evaluate different solutions and decide between them Carry out further investigation to arrive at a decision Involve all relevant competencies in decision making Estimate resources, timing and costs

ABB Eutech Process Solutions - 5

Management

Identify knowledge and competencies required Implement solution

Gap Analysis Preparation

Gap = difference between actual state and desired state Know your desired state!
Desired

gap

Examples: URS

Actual

FDA/EU Regulations
National regulations HIPPA, Data Protection

ABB Eutech Process Solutions - 6

Company procedures
gap Mandatory training requirements gap Industry best practice (e.g.GAMP, IEEE, ASTM)

Assessment Techniques: The Checklist

Checklist describes desired state Examples:

Review of set of SOPs for an IT department Password and security requirements for computer systems Business Readiness Audit 21 CFR Part 11 compliance

Useful when.

Requirements are very clearly defined Gap Analysis will be repeated frequently Individuals dont have high degree of subject knowledge Narrow scope Goal is Assessment only

ABB Eutech Process Solutions - 7

Assessment Techniques: The Audit

Auditor prepares a script which is a prompt for the areas to be covered Script typically includes examples of expected outcome Examples:

Supplier Audit Compliance Audit

ABB Eutech Process Solutions - 8

Internal Audit
Validation Package Audit

Useful when.

Baseline of compliance status is required Scope is broad Goal is Assessment and Communication

Assessment Techniques: The Meeting

Chairman prepares script of areas to be covered and identifies required participants Examples:

Assessment of change of legislation which impacts a specific system (e.g. Data Protection, Clinical Trials Supply) 21 CFR Part 11 Assessment Reaction to Regulatory Warning Letters or Inspection Findings Reaction to quality problems

ABB Eutech Process Solutions - 9

Used when

Narrow scope

Multi-disciplinary input required

Discussion required Goal is Assessment and Communication

How will you communicate the gap?

Share a written summary of findings

Give a presentation of findings

To the stakeholders To management

Good practice suggests

Include recommendations for gap management Facilitate meetings with stakeholders to discuss options Evaluate which options are best for the business Evaluate risks associated with each option

ABB Eutech Process Solutions - 10

Manage the gap

What are the priorities? What is the urgency?

Who will pay?

Who has the knowledge to implement the solution? Get ownership for actions and commitment to deadlines

ABB Eutech Process Solutions - 11

Monitor actions
Record closure

When is a Gap Analysis effective?

Gap is closed at appropriate cost in an appropriate time frame with the buy in of all involved parties

ABB Eutech Process Solutions - 12

The pitfalls

Only find the gaps you are looking for

Failure to analyse the root cause behind the gaps

Assess the gaps but dont communicate or manage the gaps Failure to monitor actions and document closure

ABB Eutech Process Solutions - 13

CSV Gap Analysis: Case Study

The IT Director of a Development Department asked for a review of the compliance status of Computer Systems in the department
Scope included three sites (two US, one European)

Gap Analysis against

FDA requirements for GLP and GMP US Title 21 CFR Part 11

ABB Eutech Process Solutions - 14

OECD Guideline 10 / AGIT

Industry Best Practice (GAMP and ABB Eutech cross-industry experience)

ABB Eutech proposed gap analysis method

Site 1 SOP Review Review Policies Site 2 SOP Review Site 3 SOP Review
ABB Eutech Process Solutions - 15

Site 1 Audit Site 2 Audit Site 3 Audit Summing Up

Plan

Coaching

Deliverables

One report for each site which

compares current practices against the defined criteria identifies existing compliance vulnerabilities in the systems reviewed prioritises the compliance issues that these gaps present to the business recommends how to solve the compliance issues identified

ABB Eutech Process Solutions - 16

One summary executive report One presentation of findings to management

Participants in the gap analysis

Information Management Leadership Local Quality Assurance Manager

Selected Systems Owners

Network Design and Security Management Desktop Systems Management

ABB Eutech Process Solutions - 17

Server Systems Management

Help Desk / Systems Support Management

Project manpower, costs and timing

Auditor style gap assessment 6 days CSV policy and guidance review, audit planning and criteria definition 1 day Planning conference with audit team and client (telecon) 5 day audit and SOP review on each site

ABB Eutech Process Solutions - 18

2 days reporting per site

1 day exec summary Cost = USD 40K plus travel expenses

Timing: Summary report 6 weeks after start

Desired state: Compliance criteria definition

Req Ref Required By (External Guidance) Description
GMP GLP OEC D 10

21CFR1 1

AGIT CSV

GA MP

Addressed by Corporate CSV Guidelines

Management M01 Current Organogram exists, and indicates independence of QA Function Written Validation Policy approved by senior management. Written record retention policy / interpretation Continuous Improvement/ self inspection processes are in place Records Ownership (details of who is responsible for the retained records) Evidence that QM practices are conducted to a recognized quality standard
58.195 211.22

58.35

11.100a

1D

CSV5

7.5.1

M02

11.10a 11.10j 11.10c 11.10

1A

CSV4

CSV policy

M03 M04
ABB Eutech Process Solutions - 19

58.35d

O1

M05

58.190 c

11.10c

O6

M06

7A

CSV5

Actual state: Findings from reviews and audits

No [F01] Compliance Requirement Reference M02 Compliance Finding Department X has developed an excellent policy statement and supporting set of corporate CSV Guidelines. In many ways these represent current best practice. For example: they are clear and easy to understand; they use a simple framework to cover a broad range of application; they address all the major computer systems compliance aspects of current drug development and manufacturing legislation; they have a strong core of 'risk management' reflecting both GAMP and the FDA's August 2002 announcement on the future of the GMPs. The Corporate CSV Policy and Guidelines have a fairly general definition of their scope of application. In practice, the definition of a 'computerised system' is a little more vague, and it is possible that inconsistencies in the application of CSV Policy across Department X may arise. During the 2001 redraft, the process for review, roll-out and staff training for the corporate CSV Policy, Guidelines and Example SOPs was inconsistent across the three Department X sites, resulting in inconsistent awareness of and commitment to these corporate practices. While the Electronic Records and Electronic Signatures guideline provides a good overview of the responsibilities required to comply with 21CFR11, the identified responsibilities are not complete. For example: Nobody identified as responsible for monitoring security breaches (Open systems)

[F02]

M02

[F03]
ABB Eutech Process Solutions - 20

M07

[F04]

M01

Summary of Gaps across three sites

Site 1 Management Compliance Planning
Gap 1

Site 2

Site 3

Development Lifecycle
Operational Lifecycle
ABB Eutech Process Solutions - 21

Technical Controls Gap 1: Compliance vulnerabilities in policies and guidelines due to ambiguities, omissions with respect to 21 CFR Part 11 compliance, and uncontrolled roll out processes

Summary Outcome
Site 1 Management Compliance Planning
Gap 1

Site 2

Site 3
Gap 2
Gap 3

Development Lifecycle
Operational Lifecycle
ABB Eutech Process Solutions - 22

Technical Controls Gap 2: Weaknesses with SLA agreements internally and externally Gap 3: Inconsistencies and misunderstandings in complying with 21 CFR Part 11 policy

Summary Outcome
Site 1 Management Compliance Planning
Gap 1

Site 2

Site 3
Gap 2
Gap 3

Development Lifecycle
Operational Lifecycle
ABB Eutech Process Solutions - 23

Technical Controls Gap 4: Document management system used for submissions to FDA is not compliant with 21 CFR Part 11

Gap 4

Summary Outcome
Site 1 Management Compliance Planning
Gap 1

Site 2

Site 3
Gap 2
Gap 3

Development Lifecycle
Operational Lifecycle
ABB Eutech Process Solutions - 24

Gap 5

Technical Controls Gap 5: No evidence of written system specifications

Gap 4

Communication: Encourage positive attitude

Summary of strengths across all three sites

Opportunity for learning from best practice within department

Recommendations on how to mitigate gaps

ABB Eutech Process Solutions - 25

GAP Communication Recognise strengths Present GAPS in spirit of constructive criticism

GAP Analysis in the IT Environment

Dedicated Stand-alone Satellite to Central IT Central IT Outsourced

IT Support Services Simple Complex

ABB Eutech Process Solutions - 26

Benefit gained from a GAP Analysis increases with complexity

21 CFR Part 11 Gap Analysis

The Checklist approach

FOR

AGAINST

Used widely throughout the industry Filled in by one or two people

Variable quality outcome Inconsistent interpretation

Only basic knowledge of 21 CFR Part 11 required

Simple Quick

Detail needs to be followed up later

Document noncompliances without solutions Overwhelmed by actions No business assessment

ABB Eutech Process Solutions - 27

Investigation of solutions postponed

21 CFR Part 11 Gap Analysis

The Meeting approach

FOR Used by some companies High quality output through participation of variety of competent individuals Consistent interpretation when led by specialists Immediate and effective communication of gap Immediate assignment of actions Immediate cost/benefit evaluation

AGAINST Requires training of specialists to act as chairperson/ interpreter Resource intensive Requires more planning and co-ordination Progress appears to be slower

ABB Eutech Process Solutions - 28

Good practice for Gap Management

Appoint person responsible for monitoring progress and documenting closure of actions Assign responsibility for finding a solution an appropriately qualified person Ensure all stakeholders are involved Agree deadlines Consider a mix of short term and long term solutions

ABB Eutech Process Solutions - 29

Use risk assessment and cost benefit analysis to make decisions

Make sure you take timely steps to secure finance

Provision from current budget CAPEX spend

Special funding

Impractical corrective actions

The solution would financially put the company out of business Ask a software supplier with only 5% of their sales volume in the Pharma sector to redesign their product immediately and at their own cost As a telecom service provider with 30,000 employees to train all its telecom engineers in GMP compliance Set deadlines for actions when there is

No budget No resource No buy-in from system owners No buy-in from senior management

ABB Eutech Process Solutions - 30

Mitigating Enforcement Actions

Before an inspection

Assess gaps and formulate a plan for remediation If requested present the plan during the inspection Ensure actions are completed Ensure time lines are met

ABB Eutech Process Solutions - 31

Avoid a FDA-483 Observation or even worse!

Mitigating Enforcement Actions

If you receive a

FDA-483 Observation Warning Letter

Use GAP analysis

Identify the true extent of the gap or gaps Identify the underlying root cause Plan for remediation Report planned remediation to FDA

ABB Eutech Process Solutions - 32

Report closure of remediation programme to FDA

Example: FDA-483 reports two missing SOP

Use a GAP analysis to identify the true compliance GAP

Backup & Restore Hardware maintenance

System definition Purchase Initial Validation

Software upgrades
Operating system Hardware platform Administration of users Software configuration

Use
ABB Eutech Process Solutions - 33

Contingency Planning Change control

Authorisation of users

IT Team

Revalidation
Application Specialist

My personal opinion

GAP Analysis is a very effective tool for developing and maintaining compliance

are you too timid to use it?

ABB Eutech Process Solutions - 34

Any queries on this presentation?

Please contact
Dr. Jennifer Methfessel ABB Ltd Belasis Hall Technology Park Billingham Cleveland, TS23 4YS UK

Tel: +44 (0)1642 372321

ABB Eutech Process Solutions - 35

Fax: +44 (0)1642 372166 Mob: +44 (0)7715 759197 e-mail: jennifer.methfessel@gb.abb.com

 ABB Eutech Process Solutions - 36