Gap Analysis

Dr Jennifer Methfessel
Senior Consultant
ABB Life Sciences
Advanced Computer Effective GAP analysis
Systems Validation as a Tool for compliance
17-18th Nov 2003 How to fit GAP analysis into
London,UK compliance initiatives
© ABB Eutech Process Solutions
The aim of the talk
 To explore how gap analysis can be used to improve

compliance
 Review the gap analysis process and how to make it effective
 Think about how to choose the most appropriate method of

gap analysis in a given situation
 CSV Gap Analysis: Case Study
 Gap Analysis in IT and for 21 CFR Part 11 Assessments

© ABB Eutech Process Solutions - 2
 What are practical and impractical corrective actions
 Using GAP Analysis to mitigate Enforcement Actions

Effective GAP Analysis Techniques
 Why do a gap analysis?

 Seek reassurance that there are no serious gaps
 More information is required about suspected
or known gaps
 Inspection readiness
 Evidence of gaps is required to obtain resources/funding
 You need to know
The “shape” The size of

of the gap the gap
Elements of a Gap Analysis
Gap New Law or

Assessment Guideline
Gap Gap
Communication Management
Stages in the Gap Analysis process
 Assessment
 Provide information about the gap
 Communication
 Evaluate different solutions and decide between them
 Carry out further investigation to arrive at a decision
 Involve all relevant competencies in decision making
 Estimate resources, timing and costs
 Management
 Identify knowledge and competencies required

 Implement solution
Gap Analysis Preparation
 Gap = difference between actual state and desired state
Know your desired state!

Desired Examples:
gap
URS
FDA/EU Regulations
Actual
National regulations
HIPPA, Data Protection
Company procedures
Mandatory training requirements
gap gap
Industry best practice
(e.g.GAMP, IEEE, ASTM)
Assessment Techniques: The Checklist
 Checklist describes desired state

 Examples:
 Review of set of SOPs for an IT department
 Password and security requirements for computer systems
 Business Readiness Audit
 21 CFR Part 11 compliance
 Useful when….
 Requirements are very clearly defined
 Gap Analysis will be repeated frequently
 Individuals don’t have high degree of subject knowledge

 Narrow scope
 Goal is Assessment only
Assessment Techniques: The Audit
 Auditor prepares a script which is a prompt for the areas

to be covered
 Script typically includes examples of expected outcome
 Examples:
 Supplier Audit
 Compliance Audit
 Internal Audit
 Validation Package Audit
 Useful when….
 Baseline of compliance status is required

 Scope is broad
 Goal is Assessment and Communication
Assessment Techniques: The Meeting
 Chairman prepares script of areas to be covered and

identifies required participants
 Examples:
 Assessment of change of legislation which impacts a specific
system (e.g. Data Protection, Clinical Trials Supply)
 21 CFR Part 11 Assessment
 Reaction to Regulatory Warning Letters or Inspection Findings
 Reaction to quality problems
 Used when………
 Narrow scope
 Multi-disciplinary input required
 Discussion required
 Goal is Assessment and Communication
How will you communicate the gap?
 Share a written summary of findings
 Give a presentation of findings
 To the stakeholders
 To management
 Good practice suggests…
 Include recommendations for gap management
 Facilitate meetings with stakeholders to discuss options
 Evaluate which options are best for the business
 Evaluate risks associated with each option

Manage the gap
 What are the priorities?

 What is the urgency?
 Who will pay?
 Who has the knowledge to implement the solution?
 Get ownership for actions and commitment to deadlines
 Monitor actions
 Record closure
When is a Gap Analysis effective?
Gap is closed at appropriate cost in an

appropriate time frame with the buy in of all
involved parties
The pitfalls
 Only find the gaps you are looking for
 Failure to analyse the root cause behind the gaps
 Assess the gaps but don’t communicate or manage the

gaps
 Failure to monitor actions and document closure

CSV Gap Analysis: Case Study
 The IT Director of a Development Department asked for a

review of the compliance status of Computer Systems in
the department
 Scope included three sites (two US, one European)
 Gap Analysis against
 FDA requirements for GLP and GMP
 US Title 21 CFR Part 11
 OECD Guideline 10 / AGIT
 Industry Best Practice

(GAMP and ABB Eutech cross-industry experience)
ABB Eutech proposed gap analysis method
Site 1 SOP Site 1

Review Audit
Review Plan Site 2 SOP Site 2 Summing

Policies Review Audit Up
Site 3 SOP Site 3

Review Audit
Coaching
Deliverables
 One report for each site which

 compares current practices against the defined criteria
 identifies existing compliance vulnerabilities in the systems
reviewed
 prioritises the compliance issues that these gaps present to the
business
 recommends how to solve the compliance issues identified
 One summary executive report
 One presentation of findings to management

Participants in the gap analysis
 Information Management Leadership

 Local Quality Assurance Manager
 Selected Systems Owners
 Network Design and Security Management
 Desktop Systems Management
 Server Systems Management
 Help Desk / Systems Support Management
Project manpower, costs and timing
 Auditor style gap assessment

 6 days CSV policy and guidance review, audit planning
and criteria definition
 1 day Planning conference with audit team and client
(telecon)
 5 day audit and SOP review on each site
 2 days reporting per site
 1 day exec summary
 Cost = USD 40K plus travel expenses

 Timing: Summary report 6 weeks after start
Desired state: Compliance criteria definition
Addressed
Req Required By (External Guidance)
by
Ref Description OEC Corporate
21CFR1 D AGIT GA CSV
GMP GLP 1 10 CSV MP Guidelines
Management
M01 Current Organogram exists, and 211.22 58.35 11.100a 1D CSV5 7.5.1
indicates independence of QA Function
M02 Written Validation Policy approved by 11.10a 1A CSV4 CSV policy

senior management. 11.10j
M03 Written record retention policy / 58.195 11.10c

interpretation
M04 Continuous Improvement/ self 58.35d 11.10 O1

inspection processes are in place
M05 Records Ownership (details of who is 58.190 11.10c O6

responsible for the retained records) c
M06 Evidence that QM practices are 7A CSV5

conducted to a recognized quality
standard
Actual state: Findings from reviews and audits
Compliance
Requirement
No Reference Compliance Finding
[F01] M02 Department X has developed an excellent policy statement and supporting set of corporate
CSV Guidelines. In many ways these represent current best practice. For example:
· they are clear and easy to understand; they use a simple framework to cover a broad
range of application;
· they address all the major computer systems compliance aspects of current drug
development and manufacturing legislation;
· they have a strong core of 'risk management' reflecting both GAMP and the FDA's August
2002 announcement on the future of the GMPs.
[F02] M02 The Corporate CSV Policy and Guidelines have a fairly general definition of their scope of
application. In practice, the definition of a 'computerised system' is a little more vague, and it is
possible that inconsistencies in the application of CSV Policy across Department X may arise.
[F03] M07 During the 2001 redraft, the process for review, roll-out and staff training for the corporate CSV
Policy, Guidelines and Example SOPs was inconsistent across the three Department X sites,
resulting in inconsistent awareness of and commitment to these corporate practices.
[F04] M01 While the Electronic Records and Electronic Signatures guideline provides a good overview of
the responsibilities required to comply with 21CFR11, the identified responsibilities are not
complete. For example:
 Nobody identified as responsible for monitoring security breaches (Open systems)
Summary of Gaps across three sites
Site 1 Site 2 Site 3
Management Gap 1
Compliance
Planning
Development
Lifecycle
Operational
Lifecycle
Technical
Controls
Gap 1: Compliance vulnerabilities in policies and

guidelines due to ambiguities, omissions with respect
to 21 CFR Part 11 compliance, and uncontrolled roll
out processes
Summary Outcome
Management Gap 1 Gap 2
Compliance
Gap 3
Planning
Development
Lifecycle
Operational
Lifecycle
Technical
Controls
Gap 2: Weaknesses with SLA agreements internally

and externally
Gap 3: Inconsistencies and misunderstandings in
complying with 21 CFR Part 11 policy
Summary Outcome
Compliance
Gap 3
Planning
Development
Lifecycle
Operational
Lifecycle
Technical
Gap 4
Controls
Gap 4: Document management system used for

submissions to FDA is not compliant with 21 CFR Part 11
Summary Outcome
Compliance
Gap 3
Planning
Development
Gap 5
Lifecycle
Operational
Lifecycle
Technical
Gap 4
Controls
Gap 5: No evidence of written system specifications

Communication: Encourage positive attitude
 Summary of strengths across all three sites

 Opportunity for learning from best practice within department
 Recommendations on how to mitigate gaps
GAP Communication
Recognise strengths
Present GAPS in spirit of
constructive criticism
GAP Analysis in the IT Environment
Dedicated Satellite to
Central IT Outsourced
Stand-alone Central IT
IT Support Services
Simple Complex
Benefit gained from a GAP Analysis increases

with complexity
21 CFR Part 11 Gap Analysis
 The Checklist approach

FOR AGAINST
 Used widely throughout  Variable quality outcome

the industry
 Inconsistent interpretation
 Filled in by one or two
people  Detail needs to be
followed up later
 Only basic knowledge of
21 CFR Part 11 required  Document non-
compliances without
 Simple
solutions
 Quick
 Overwhelmed by actions
 Investigation of solutions
postponed  No business assessment
21 CFR Part 11 Gap Analysis
 The Meeting approach

FOR AGAINST
 Used by some companies  Requires training of
 High quality output through specialists to act as
participation of variety of chairperson/ interpreter
competent individuals  Resource intensive
 Consistent interpretation
 Requires more planning
when led by specialists
and co-ordination
 Immediate and effective
communication of gap  Progress appears to be
slower
 Immediate assignment of
actions
 Immediate cost/benefit
evaluation
Good practice for Gap Management
 Appoint person responsible for monitoring progress and
documenting closure of actions
 Assign responsibility for finding a solution an appropriately qualified
person
 Ensure all stakeholders are involved
 Agree deadlines
 Consider a mix of short term and long term solutions
 Use risk assessment and cost benefit analysis to make decisions
 Make sure you take timely steps to secure finance
 Provision from current budget
 CAPEX spend
 Special funding
Impractical corrective actions
 The solution would financially put the company out of business

 Ask a software supplier with only 5% of their sales volume in the
Pharma sector to redesign their product immediately and at their
own cost
 As a telecom service provider with 30,000 employees to train all its
telecom engineers in GMP compliance
 Set deadlines for actions when there is
 No budget
 No resource
 No buy-in from system owners

 No buy-in from senior management
Mitigating Enforcement Actions
 Before an inspection
 Assess gaps and formulate a plan for remediation
 If requested present the plan during the inspection
 Ensure actions are completed
 Ensure time lines are met
Avoid a FDA-483 Observation

or even worse!
Mitigating Enforcement Actions
 If you receive a
 FDA-483 Observation
 Warning Letter
 Use GAP analysis

 Identify the true extent of the gap or gaps
 Identify the underlying root cause
 Plan for remediation
 Report planned remediation to FDA

 Report closure of remediation programme to FDA
Example: FDA-483 reports two missing SOP
 Use a GAP analysis to identify the true compliance GAP

Backup &
Restore Hardware
System maintenance
definition
Software
Purchase Initial upgrades
Validation
Operating
Contingency system
Use
Planning
Hardware
platform
Authorisation Change IT Team
of users control
Administration
of users
Revalidation
Application Software
Specialist configuration
My personal opinion
GAP Analysis is a very effective tool for developing

and maintaining compliance
– are you too timid to use it?

Any queries on this presentation?
Please contact……
Dr. Jennifer Methfessel
ABB Ltd
Belasis Hall Technology Park
Billingham
Cleveland, TS23 4YS
UK
Tel: +44 (0)1642 372321
Fax: +44 (0)1642 372166
Mob: +44 (0)7715 759197

e-mail:
jennifer.methfessel@gb.abb.com

Gap Analysis

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Gap Analysis

Caricato da

Copyright:

Formati disponibili

Dr Jennifer Methfessel

 To explore how gap analysis can be used to improve

 Think about how to choose the most appropriate method of

 CSV Gap Analysis: Case Study

 Gap Analysis in IT and for 21 CFR Part 11 Assessments

 What are practical and impractical corrective actions

 Using GAP Analysis to mitigate Enforcement Actions

 Why do a gap analysis?

The “shape” The size of

Gap New Law or

 Identify knowledge and competencies required

 Gap = difference between actual state and desired state

Know your desired state!

 Checklist describes desired state

 Individuals don’t have high degree of subject knowledge

 Auditor prepares a script which is a prompt for the areas

 Baseline of compliance status is required

 Chairman prepares script of areas to be covered and

 Evaluate risks associated with each option

 What are the priorities?

Gap is closed at appropriate cost in an

 Only find the gaps you are looking for

 Failure to analyse the root cause behind the gaps

 Assess the gaps but don’t communicate or manage the

 Failure to monitor actions and document closure

 The IT Director of a Development Department asked for a

 Industry Best Practice

Site 1 SOP Site 1

Review Plan Site 2 SOP Site 2 Summing

Site 3 SOP Site 3

 One report for each site which

 One presentation of findings to management

 Information Management Leadership

 Auditor style gap assessment

 Cost = USD 40K plus travel expenses

M02 Written Validation Policy approved by 11.10a 1A CSV4 CSV policy

M03 Written record retention policy / 58.195 11.10c

M04 Continuous Improvement/ self 58.35d 11.10 O1

M05 Records Ownership (details of who is 58.190 11.10c O6

M06 Evidence that QM practices are 7A CSV5

Site 1 Site 2 Site 3

Gap 1: Compliance vulnerabilities in policies and

Site 1 Site 2 Site 3

Management Gap 1 Gap 2

Gap 2: Weaknesses with SLA agreements internally

Site 1 Site 2 Site 3

Management Gap 1 Gap 2

Gap 4: Document management system used for

Site 1 Site 2 Site 3

Management Gap 1 Gap 2

Gap 5: No evidence of written system specifications

 Summary of strengths across all three sites

Benefit gained from a GAP Analysis increases

 The Checklist approach

 Used widely throughout  Variable quality outcome

 The Meeting approach

 The solution would financially put the company out of business

 No buy-in from system owners

Avoid a FDA-483 Observation

 Use GAP analysis

 Report planned remediation to FDA

 Use a GAP analysis to identify the true compliance GAP

GAP Analysis is a very effective tool for developing