Gap Analysis

Dr Jennifer Methfessel
Senior Consultant
ABB Life Sciences
ABB Eutech Process Solutions
Advanced Computer
Systems Validation
17-18th Nov 2003
London,UK
Effective GAP analysis

as a Tool for compliance
How to fit GAP analysis into
compliance initiatives
The aim of the talk
ABB Eutech Process Solutions - 2
To explore how gap analysis can be used to improve

compliance
Review the gap analysis process and how to make it effective
Think about how to choose the most appropriate method of gap

analysis in a given situation
CSV Gap Analysis: Case Study
Gap Analysis in IT and for 21 CFR Part 11 Assessments
What are practical and impractical corrective actions
Using GAP Analysis to mitigate Enforcement Actions
Effective GAP Analysis Techniques
Why do a gap analysis?
Seek reassurance that there are no serious gaps
More information is required about suspected

or known gaps
Inspection readiness
Evidence of gaps is required to obtain resources/funding
You need to know
The shape
of the gap
The size of
the gap
Elements of a Gap Analysis
Gap
Assessment
Gap
Communication
New Law or
Guideline
Gap
Management
Stages in the Gap Analysis process
Assessment
Provide information about the gap
Communication
Evaluate different solutions and decide between them
Carry out further investigation to arrive at a decision
Involve all relevant competencies in decision making
Estimate resources, timing and costs
Management
Identify knowledge and competencies required
Implement solution
Gap Analysis Preparation
Gap = difference between actual state and desired state

Know your desired state!
Desired
gap
Examples:
URS
Actual
FDA/EU Regulations
National regulations
HIPPA, Data Protection

Company procedures
gap
gap
Mandatory training requirements

Industry best practice
(e.g.GAMP, IEEE, ASTM)
Assessment Techniques: The Checklist
Checklist describes desired state
Examples:
Review of set of SOPs for an IT department
Password and security requirements for computer systems
Business Readiness Audit
21 CFR Part 11 compliance
Useful when.
Requirements are very clearly defined
Gap Analysis will be repeated frequently
Individuals dont have high degree of subject knowledge
Narrow scope
Goal is Assessment only
Assessment Techniques: The Audit
Auditor prepares a script which is a prompt for the areas

to be covered
Script typically includes examples of expected outcome
Examples:
Supplier Audit
Compliance Audit
Internal Audit
Validation Package Audit
Useful when.
Baseline of compliance status is required
Scope is broad
Goal is Assessment and Communication
Assessment Techniques: The Meeting
Chairman prepares script of areas to be covered and

identifies required participants
Examples:
Assessment of change of legislation which impacts a specific

system (e.g. Data Protection, Clinical Trials Supply)
21 CFR Part 11 Assessment
Reaction to Regulatory Warning Letters or Inspection Findings
Reaction to quality problems
Used when
Narrow scope
Multi-disciplinary input required
Discussion required
Goal is Assessment and Communication
How will you communicate the gap?
Share a written summary of findings
Give a presentation of findings
To the stakeholders
To management
Good practice suggests
Include recommendations for gap management
Facilitate meetings with stakeholders to discuss options
Evaluate which options are best for the business
Evaluate risks associated with each option
Manage the gap
What are the priorities?
What is the urgency?
Who will pay?
Who has the knowledge to implement the solution?
Get ownership for actions and commitment to deadlines
Monitor actions
Record closure
When is a Gap Analysis effective?
Gap is closed at appropriate cost in an

appropriate time frame with the buy in of all
involved parties
The pitfalls
Only find the gaps you are looking for
Failure to analyse the root cause behind the gaps
Assess the gaps but dont communicate or manage the

gaps
Failure to monitor actions and document closure
CSV Gap Analysis: Case Study
The IT Director of a Development Department asked for a

review of the compliance status of Computer Systems in
the department
Scope included three sites (two US, one European)
Gap Analysis against
FDA requirements for GLP and GMP
US Title 21 CFR Part 11
OECD Guideline 10 / AGIT
Industry Best Practice

(GAMP and ABB Eutech cross-industry experience)
ABB Eutech proposed gap analysis method
Review
Policies
Plan
Site 1 SOP
Review
Site 1
Audit
Site 2 SOP
Review
Site 2
Audit
Site 3 SOP
Review
Site 3
Audit
Coaching
Summing
Up
Deliverables
One report for each site which
compares current practices against the defined criteria
identifies existing compliance vulnerabilities in the systems

reviewed
prioritises the compliance issues that these gaps present to the

business
recommends how to solve the compliance issues identified
One summary executive report
One presentation of findings to management
Participants in the gap analysis
Information Management Leadership
Local Quality Assurance Manager
Selected Systems Owners
Network Design and Security Management
Desktop Systems Management
Server Systems Management
Help Desk / Systems Support Management
Project manpower, costs and timing
Auditor style gap assessment
6 days CSV policy and guidance review, audit planning

and criteria definition
1 day Planning conference with audit team and client

(telecon)
5 day audit and SOP review on each site
2 days reporting per site
1 day exec summary
Cost = USD 40K plus travel expenses
Timing: Summary report 6 weeks after start
Desired state: Compliance criteria definition

OEC
D
10
AGIT
CSV
GA
MP
Addressed
by
Corporate
CSV
Guidelines
Required By (External Guidance)

Req
Ref
Description
GMP
GLP
21CFR1
1
Management
M01
CurrentOrganogramexists,and
indicatesindependenceofQAFunction
211.22
58.35
11.100a
1D
CSV5
7.5.1
M02
WrittenValidationPolicyapprovedby
seniormanagement.
11.10a
11.10j
1A
CSV4
CSVpolicy
M03
Writtenrecordretentionpolicy/
interpretation
58.195
11.10c
M04
ContinuousImprovement/self
inspectionprocessesareinplace
58.35d
11.10
O1
M05
RecordsOwnership(detailsofwhois
responsiblefortheretainedrecords)
58.190
c
11.10c
O6
M06
EvidencethatQMpracticesare
conductedtoarecognizedquality
standard
7A
CSV5
Actual state: Findings from reviews and audits

No
Compliance
Requirement
Reference
[F01]
M02
Department X has developed an excellent policy statement and supporting set of corporate
CSV Guidelines. In many ways these represent current best practice. For example:
they are clear and easy to understand; they use a simple framework to cover a broad
range of application;
they address all the major computer systems compliance aspects of current drug
development and manufacturing legislation;
they have a strong core of 'risk management' reflecting both GAMP and the FDA's August
2002 announcement on the future of the GMPs.
[F02]
M02
The Corporate CSV Policy and Guidelines have a fairly general definition of their scope of
application. In practice, the definition of a 'computerised system' is a little more vague, and it
is possible that inconsistencies in the application of CSV Policy across Department X may
arise.
[F03]
M07
During the 2001 redraft, the process for review, roll-out and staff training for the corporate CSV
Policy, Guidelines and Example SOPs was inconsistent across the three Department X sites,
resulting in inconsistent awareness of and commitment to these corporate practices.
[F04]
M01
While the Electronic Records and Electronic Signatures guideline provides a good overview of
the responsibilities required to comply with 21CFR11, the identified responsibilities are not
complete. For example:
Nobody identified as responsible for monitoring security breaches (Open systems)
Compliance Finding
Summary of Gaps across three sites

Site 1
Management
Site 2
Gap 1
Compliance
Planning
Development
Lifecycle
Operational
Lifecycle
Technical
Controls
Gap 1: Compliance vulnerabilities in policies and
guidelines due to ambiguities, omissions with respect
to 21 CFR Part 11 compliance, and uncontrolled roll
out processes
Site 3
Summary Outcome
Site 1
Management
Site 2
Gap 1
Compliance
Planning
Development
Lifecycle
Operational
Lifecycle
Technical
Controls
Gap 2: Weaknesses with SLA agreements internally
and externally
Gap 3: Inconsistencies and misunderstandings in
complying with 21 CFR Part 11 policy
Site 3
Gap 2
Gap 3
Summary Outcome
Site 1
Management
Site 2
Gap 1
Compliance
Planning
Site 3
Gap 2
Gap 3
Development
Lifecycle
Operational
Lifecycle
Technical
Controls
Gap 4: Document management system used for
submissions to FDA is not compliant with 21 CFR Part 11
Gap 4
Summary Outcome
Site 1
Management
Site 2
Gap 1
Compliance
Planning
Development
Lifecycle
Site 3
Gap 2
Gap 3
Gap 5
Operational
Lifecycle
Technical
Controls
Gap 5: No evidence of written system specifications
Gap 4
Communication: Encourage positive attitude
Summary of strengths across all three sites
Opportunity for learning from best practice within department
Recommendations on how to mitigate gaps
GAP Communication
Recognise strengths
Present GAPS in spirit of
constructive criticism
GAP Analysis in the IT Environment

Dedicated
Stand-alone
Satellite to
Central IT
Central IT
Outsourced
IT Support Services
Simple
Complex
Benefit gained from a GAP Analysis increases

with complexity
21 CFR Part 11 Gap Analysis
The Checklist approach

AGAINST
FOR
Used widely throughout

the industry
Variable quality outcome
Inconsistent interpretation
Filled in by one or two

people
Only basic knowledge of

21 CFR Part 11 required
Detail needs to be
followed up later
Simple
Quick
Document noncompliances without

solutions
Investigation of solutions
postponed
Overwhelmed by actions
No business assessment
21 CFR Part 11 Gap Analysis
The Meeting approach
FOR
AGAINST
Requires training of
specialists to act as
chairperson/ interpreter
Used by some companies
High quality output through

participation of variety of
competent individuals
Resource intensive
Consistent interpretation
when led by specialists
Immediate and effective

communication of gap
Requires more planning

and co-ordination
Immediate assignment of
actions
Progress appears to be
slower
Immediate cost/benefit
evaluation
Good practice for Gap Management
Appoint person responsible for monitoring progress and

documenting closure of actions
Assign responsibility for finding a solution an appropriately qualified

person
Ensure all stakeholders are involved
Agree deadlines
Consider a mix of short term and long term solutions
Use risk assessment and cost benefit analysis to make decisions
Make sure you take timely steps to secure finance
Provision from current budget
CAPEX spend
Special funding
Impractical corrective actions
The solution would financially put the company out of business
Ask a software supplier with only 5% of their sales volume in the

Pharma sector to redesign their product immediately and at their
own cost
As a telecom service provider with 30,000 employees to train all its

telecom engineers in GMP compliance
Set deadlines for actions when there is
No budget
No resource
No buy-in from system owners
No buy-in from senior management
Mitigating Enforcement Actions
Before an inspection
Assess gaps and formulate a plan for remediation
If requested present the plan during the inspection
Ensure actions are completed
Ensure time lines are met
Avoid a FDA-483 Observation

or even worse!
Mitigating Enforcement Actions
If you receive a
FDA-483 Observation
Warning Letter
Use GAP analysis
Identify the true extent of the gap or gaps
Identify the underlying root cause
Plan for remediation
Report planned remediation to FDA
Report closure of remediation programme to FDA
Example: FDA-483 reports two missing SOP
Use a GAP analysis to identify the true compliance GAP

System
definition
Purchase
Use
Authorisation
of users
Initial
Validation
Contingency
Planning
Change
control
Revalidation
Application
Specialist
Backup &
Restore
Hardware
maintenance
Software
upgrades
Operating
system
Hardware
platform
Administration
of users
Software
configuration
IT Team
My personal opinion
GAP Analysis is a very effective tool for developing and

maintaining compliance
are you too timid to use it?
Any queries on this presentation?

Please contact
Dr. Jennifer Methfessel
ABB Ltd
Belasis Hall Technology Park
Billingham
Cleveland, TS23 4YS
UK
Tel: +44 (0)1642 372321

Fax: +44 (0)1642 372166
Mob: +44 (0)7715 759197
e-mail:
jennifer.methfessel@gb.abb.com

Gap Analysis

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Gap Analysis

Hochgeladen von

Copyright:

Verfügbare Formate

Dr Jennifer Methfessel

ABB Eutech Process Solutions

Effective GAP analysis

The aim of the talk

ABB Eutech Process Solutions - 2

To explore how gap analysis can be used to improve

Review the gap analysis process and how to make it effective

Think about how to choose the most appropriate method of gap

CSV Gap Analysis: Case Study

Gap Analysis in IT and for 21 CFR Part 11 Assessments

What are practical and impractical corrective actions

Using GAP Analysis to mitigate Enforcement Actions

ABB Eutech Process Solutions - 3

Effective GAP Analysis Techniques

Why do a gap analysis?

Seek reassurance that there are no serious gaps

More information is required about suspected

Evidence of gaps is required to obtain resources/funding

You need to know

Elements of a Gap Analysis

ABB Eutech Process Solutions - 4

Stages in the Gap Analysis process

ABB Eutech Process Solutions - 5

Provide information about the gap

Evaluate different solutions and decide between them

Carry out further investigation to arrive at a decision

Involve all relevant competencies in decision making

Estimate resources, timing and costs

Identify knowledge and competencies required

Gap Analysis Preparation

Gap = difference between actual state and desired state

ABB Eutech Process Solutions - 6

HIPPA, Data Protection

Mandatory training requirements

Assessment Techniques: The Checklist

Checklist describes desired state

ABB Eutech Process Solutions - 7

Review of set of SOPs for an IT department

Password and security requirements for computer systems

Business Readiness Audit

21 CFR Part 11 compliance

Requirements are very clearly defined

Gap Analysis will be repeated frequently

Individuals dont have high degree of subject knowledge

Goal is Assessment only

ABB Eutech Process Solutions - 8

Assessment Techniques: The Audit

Auditor prepares a script which is a prompt for the areas

Script typically includes examples of expected outcome

Validation Package Audit

Baseline of compliance status is required

Goal is Assessment and Communication

Assessment Techniques: The Meeting

Chairman prepares script of areas to be covered and

ABB Eutech Process Solutions - 9

Assessment of change of legislation which impacts a specific

21 CFR Part 11 Assessment

Reaction to Regulatory Warning Letters or Inspection Findings

Reaction to quality problems

Multi-disciplinary input required

Goal is Assessment and Communication

How will you communicate the gap?

Share a written summary of findings