A Validation gap analysis is usually the first thing a Validation consultant is requested to perform on meeting a new client. A reassurance that all discrepancies have been identified and reconciled - in house. When an existing problem is not discovered, acknowledged and remedied, and a visiting regulator discovers it, the issues can be, and very often are damaging to individual careers, and to the company.
Execution of the Validation Gap Analysis gives tremendous reassurance that the validation and compliance requirements of the company are being met.
Validation Gap Analysis tools allow you to systematically challenge the company’s cGMP compliance policies and procedures, comparing them with the regulatory expected standards and enables you to draw up a list of all the delinquencies. Until you can highlight the company’s deficiencies, you are not able to scope the task of becoming compliant. It really is difficult and verging on the impossible to put resources together for an unmeasured task.
Poor CAPA systems remain one of the top problem areas for both the drug and device industries when it comes to FDA inspections. And CAPA citations account for more than 50 percent of FDA warning letters. Are you certain your CAPA system is compliant –
- if not absolutely certain -
The FDA brought out and now police compliance with the Quality Systems (QS) guideline's, that compliment the current Good Manufacturing Procedures and provide the tools for industry to implement effective QS’s that will guarantee the best product quality for the customers. The next step for most companies is to perform a Gap Analysis (GA) to determine what actions are necessary for them to be in compliance with the new guideline. The GA must be conducted as a planned / organized process and must be documented. The personnel conducting the GA compliance and validation analysis must also be qualified and must prioritize the areas to be inspected. It must be verified that the cascade of documents used in qualifying equipment i.e. VMP
- URS - DQ - IQ - OQ - P1Q - P2Q, are in place and all of them have have been constructed in accordance with the company's practices and procedures manual.
As long as the process operates in a state of control and no changes have been made to the process or output product, the process does not have to be revalidated. Whether the process is operating in a state of control is determined by analyzing day-to-day process control data and any finished device testing data for conformance with specifications and for variability.
Regulators require documents to be based on agreed and approved policies and procedures. That means that the documents must flow from the top policy and procedure documents through the assessment and scoping stage and into the inspection and testing stage. Throughout this flow, traceability must be maintained to demonstrate that the original requirements as documented in the URS have indeed been verified as delivered. You can't start writing an Installation Qualification (IQ), without having an approved Validation Plan in place to scope the all activities, and of course the VP can’t be started unless there is an approved User Requirement Specification (URS), in place. The normal and expected document flow is shown below:
The first document is not mandated, but is always asked for in regulatory reviews. (URS - DQ - VRA) are mandated and self explanatory. (IQ - OQ - P1Q - P2Q). The execution of a Validation Gap Analysis will give verification that these documents are in place and of acceptable standard.
The aim and object of using a Validation Gap Analysis protocol in the bio-med and pharmaceutical industries is to identify the gap between the regulatory requirements governing the company operations and the practices and processes the company has in use. This helps provide the company with insight into areas that have room for improvement. The execution of a Validation gap analysis process involves determining and documenting the variance between requirements and current capabilities. Once the general expectation of performance in the industry is understood it is possible to compare that expectation with the level of performance at which the company currently functions. This comparison becomes the GMP gap analysis results. Such analysis can be performed at the strategic or operational level of an organization.
Of great importance is the review of the company Validation Master Plan (VMP). The VMP must detail the methods to be used and the individual responsibilities for all validation activities, it is therefore imperative that it is correct in all aspects of GMP and company policies and procedures.
Next in importance to the VMP is the assurance that all equipment validation activities are originated from a fully detailed User Requirements Specification (URS). Without the URS all validation activities would be flawed. The more detailed the URS, the easier and quicker the validation exercise is to execute. It therefore pays dividends to get the URS correct.
Companies are now required to establish and maintain an adequate internal control structure and assess its effectiveness on an annual basis. Costs of compliance with Sarbanes-Oxley (SOX) 404 are, however, higher than planned.
Sarbanes-Oxley is the legislation introduced in the USA as a result of the Enron, World-com, and other financial scandals. The legislation currently applies to all USA businesses and any business that trades its shares on a US stock market. Additionally, the UK Government is planning to introduce similar legislation to Sarbanes-Oxley in the near future.
As Sarbanes-Oxley is gradually implemented, it will result in most business looking for systems that:
Improve security and close loop-holes that allow for errors and falsifications in financial records.
Introduce or support transparent processes that include all stake-holders, particularly in areas that have financial implications.
A document store that manages all of the documents, spreadsheets and other file types that need to be tracked and shared in the financial processes.
A system that ensures everyone that they are accessing the latest, correct version, track who made which changes with a full audit trail.
Document audit and edit, "red line" and "mark-up" the document without changing the original.
An audit full audit trail that even tracks if and when documents were read. A notification system that each user sets up, so they know automatically when something has changed, been read or reached a certain stage.
Discussions, bulletin boards and email stores, so that you facilitate process improvements and the move to best practice, and trap and record the history of these internal interactions.