Friday, 19 September 2008

Standards: Incidents, Problems and CAPA

An analysis of FDA Warning Letters issued over the past few years shows some recurring themes (see previous posts). One of these that consistently stands out is the regulations cited more than any other; 21CFR Part 820.100 Corrective and Preventive Action closely followed by 21CFR 820.198 Complaint Files.

In this blog I want to highlight what CAPA is, and also place it in the context in terms of Incident Management and Problem Management, alongside Complaints.

Incident Management and Problem Management

ITIL has a clear explanation of Incident and Problem Management and the difference between them. It goes like this; consider the following analogy:

Every city has a stretch of road where accidents seem to occur on a regular basis; so called “accident black-spots”. When an accident happens, the police are usually the first on the scene, quickly followed by other emergency vehicles as required: ambulances, fire, tow truck, etc. The first order of business is to attend to the injured. Next is to get the traffic moving again.

This is the essence of Incident Management; it is reactive and looks for an immediate, short-term solution.

Somewhere, people are gathering information and analysing that accident, what may have caused it and how it may relate to other accidents which occurred along that same stretch of road. They analyse, among other things, traffic patterns, the time of day, weather conditions at the time, road signage. From this analysis, they seek to determine the ROOT CAUSE of the accidents and thus find a means of preventing accidents.

This is the essence of Problem Management; it is proactive and looks for a permanent solution to prevent further incidents.

Corrective and Preventive Action

FDA Guidance says the following;

Corrective action is a reactive tool for system improvement to ensure that significant problems do not recur.

and...

Being proactive is an essential tool in quality systems management. Succession planning, training, capturing institutional knowledge, and planning for personnel, policy, and process changes are preventive actions that will help ensure that potential problems and root causes are identified, possible consequences assessed, and appropriate actions considered.

So the focus in these activities is to find root causes and ways to stop problems happening in the future, rather than righting what has happened in the past.

It is important to understand that CAPA is not an Incident Management process - CAPA is all about Problem Management; it is the same as ITIL Problem Management, with both reactive (triggered by incidents/failures) and proactive (triggered by other sources) activities.

The Incident Management process is essentially addressed by the "Complaint Files" regulation for medical devices (and others focussing on manufacturing incidents and adverse events). Perhaps this is a source for the large volume of citations for violation of these regulations; companies lack an understanding of the interface between Complaints (incidents) and CAPA (problems), which is much easier to understand when viewed from the ITIL framework.

GAMP Honorable Mention

As a footnote to this, it is worth mentioning that GAMP4 did not really address either incident or problem management. This has been corrected in GAMP5 with the addition of the Operational Appendices O4 Incident Management and O5 Corrective and Preventive Action. Note how GAMP employs language recognisable to IT stakeholders (incidents) and regulatory stakeholders (CAPA), bridging the gap of understanding that may have existed before.

Sunday, 7 September 2008

Standards: What is "best practice"??

Dilbert.com

There are a lot of things out there that claim to be representing "best practice". Here is a brief list of the management systems or approaches that are commonly mentioned:

ISO 12207: aims to be 'the' standard that defines all the tasks required for developing and maintaining software.

ISO 20000: describes the best practices for service management

ISO 27001: specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS

ISO 9001: set of requirements for a quality management system.

ISO 13485: requirements for a comprehensive management system for the design and manufacture of medical devices.

ISO 15504: Software Process Improvement and Capability dEtermination is a "framework for the assessment of processes".

COBIT: a set of best practices (framework) for information technology (IT) management

ITIL: a set of concepts and techniques for managing information technology (IT) infrastructure, development, and operations.

GAMP: a series of Good Practice Guides on several topics involved in drug manufacturing

CMMI: a process improvement approach that provides organizations with the essential elements of effective processes.

COSO: a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems

So what are the differences? Well as you may deduce, there not that many real differences underlying these publications. Some focus on service management, and others on software development, and others on system or process controls, but in their efforts to broaden their appeal, they actually overlap to such an extent that they can often be mapped process for process - the only real difference is the language used to describe the tasks.

Here is a typical example of mapping between ITILv2 and COBITv4. And remembering that ISO20000 is derived from ITIL, then there is a map from COBIT to ISO20000.

So whichever system you choose to adopt, you can make a fairly safe bet that you will also be covering many of the requirements from the other models.

ITIL ProcessCOBIT
 ProcessControl ObjectiveCOBIT Process
SERVICE LEVEL MANAGEMENTDS 1DS 1.0Define and Manage Service Levels
The SLM ProcessDS 1DS 1.1Service Level Agreement Framework
Planning the ProcessDS 1DS 1.2Aspects of Service Level Agreements
Implementing the ProcessDS 1DS 1.2Aspects of Service Level Agreements
The On-going ProcessDS 1DS 1.5Review of Service Level Agreements and Contracts
SLA contents and key targetsDS 1DS 1.2Aspects of Service Level Agreements
Key Performance Indicators and metrics for SLM efficiency and effectivenessDS 1DS 1.4Monitoring and Reporting
    
FINANCIAL MANAGEMENT FOR IT SERVICESPO 5PO 5.0Manage the IT Investment
BudgetingPO 5PO 5.1Annual IT Operating Budget
Developing the IT Accounting systemPO 5PO 5.1Annual IT Operating Budget
Developing the Charging SystemDS 6DS 6.2Costing Procedures
Planning for IT Accounting and ChargingDS 6DS 6.1Chargeable Items
ImplementationDS 6DS 6.0Identify and Allocate Costs
Ongoing management and operationDS 6DS 6.3User Billing and Chargeback Procedures
    
    
CAPACITY MANAGEMENTDS 2DS 2.0Manage Third-Party Services
The Capacity Management processDS 3DS 3.0Manage Performance and Capacity
Activities in Capacity ManagementDS 3DS 3.7Capacity Management of Resources
Costs, benefits and possible problemsDS 3DS 3.7Capacity Management of Resources
Planning and implementationDS 3DS 3.0Manage Performance and Capacity
Review of the Capacity Management processDS 3DS 3.3Monitoring and Reporting
Interfaces with other SM processesn.a.n.a.n.a.
    
    
IT Service Continuity Management DS 4DS 4.0Ensure Continuous Service
Scope of ITSCMDS 4DS 4.1IT Continuity Framework
The Business Continuity LifecycleDS 4DS 4.1IT Continuity Framework
Management StructureDS 4DS 4.1IT Continuity Framework
Generating awarenessDS 4DS 4.1IT Continuity Framework
Interfaces with other SM processesn.a.n.a.n.a.
    
    
AVAILABILITY MANAGEMENT DS 4DS 4.0Ensure Continuous Service
Basic conceptsDS 4DS 4.2IT Continuity Plan Strategy and Philosophy
The Availability Management ProcessDS 4DS 4.0Ensure Continuous Service
The Cost of (Un)AvailabilityPO 9PO 9.4Assess Risks
Availability PlanningDS 3DS 3.2Availability Plan
Availability improvementDS 4DS 4.4Minimising IT Continuity Requirements
Availability measurement and reportingDS 3DS 3.3Monitoring and Reporting
Availability Management toolsDS 3DS 3.4Modeling Tools
Availability Management methods and techniquesDS 3DS 3.0Manage Performance and Capacity
    
THE SERVICE DESKDS 8DS 8.0Assist and Advise Customers
OverviewDS 8DS 8.1Help Desk
Implementing a Service Desk infrastructureDS 8DS 8.1Help Desk
Service Desk technologiesn.a.n.a.n.a.
Service Desk responsibilities, functions, staffing levels etcPO 4PO 4.4Roles and Responsibilities
Service Desk staffing skill setPO 7PO 7.4Personnel Training
Setting up a Service Desk environmentPO 8PO 8.1External Requirements Review
Service Desk education and trainingPO 7PO 7.4Personnel Training
Service Desk processes and proceduresDS 8DS 8.0Assist and Advise Customers
Incident reporting and reviewDS 5DS 5.10Violation and Security Activity Reports
    
    
INCIDENT MANAGEMENTDS 10DS 10.0Manage Problems and Incidents
Goal of Incident ManagementDS 10DS 10.0Manage Problems and Incidents
Scope of Incident ManagementDS 10DS 10.1Problem Management System
Basic conceptsDS 10DS 10.1Problem Management System
Benefits of Incident ManagementDS 10DS 10.1Problem Management System
Planning and implementationDS 10DS 10.1Problem Management System
Incident Management activitiesDS 10DS 10.3Problem Tracking and Audit Trail
Handling of major IncidentsDS 10DS 10.2Problem Escalation
Roles of the Incident Management processDS 10DS 10.0Manage Problems and Incidents
Key Performance IndicatorsDS 10DS 10.3Problem Tracking and Audit Trail
ToolsDS 10DS 10.1Problem Management System
    
    
PROBLEM MANAGEMENTDS 10DS 10.0Manage Problems and Incidents
Goal of Problem ManagementDS 10DS 10.0Manage Problems and Incidents
Scope of Problem ManagementDS 10DS 10.1Problem Management System
Basic conceptsDS 10DS 10.1Problem Management System
Benefits of Problem ManagementDS 10DS 10.1Problem Management System
Planning and implementationDS 10DS 10.1Problem Management System
Problem control activitiesDS 10DS 10.3Problem Tracking and Audit Trail
Error control activitiesDS 10DS 10.3Problem Tracking and Audit Trail
Proactive Problem ManagementDS 8DS 8.5Trend Analysis and Reporting
Providing information to the support organisationDS 8DS 8.5Trend Analysis and Reporting
MetricsDS 10DS 10.0Manage Problems and Incidents
Roles within Problem ManagementDS 10DS 10.0Manage Problems and Incidents
    
    
CONFIGURATION MANAGEMENTDS 9DS 9.0Manage the Configuration
Goal of Configuration ManagementDS 9DS 9.0Manage the Configuration
Scope of Configuration ManagementDS 9DS 9.0Manage the Configuration
Basic conceptsDS 9DS 9.1Configuration Recording
Benefits and possible problemsDS 9DS 9.1Configuration Recording
Planning and implementationDS 9DS 9.1Configuration Recording
ActivitiesDS 9DS 9.0Manage the Configuration
Process controlDS 9DS 9.0Manage the Configuration
Relations to other processesn.a.n.a.n.a.
Tools specific to the Configuration Management processn.a.n.a.n.a.
Impact of new technologyn.a.n.a.n.a.
Guidance on Configuration Managementn.a.n.a.n.a.
    
    
CHANGE MANAGEMENTAI 6AI 6.0Manage Changes
Goal of Change ManagementAI 6AI 6.0Manage Changes
Scope of Change ManagementAI 6AI 6.0Manage Changes
Basic conceptsAI 6AI 6.1Change Request Initiation and Control
Benefits, costs and possible problemsAI 6AI 6.2Impact Assessment
ActivitiesAI 6AI 6.0Manage Changes
Planning and implementationAI 6AI 6.0Manage Changes
Metrics and management reportingAI 6AI 6.2Impact Assessment
Software toolsAI 6AI 6.3Control of Changes
Impact of new technologyn.a.n.a.n.a.
    
    
RELEASE MANAGEMENTAI 6AI 6.0Manage Changes
Goal of Release ManagementAI 6AI 6.7Software Release Policy
Scope of Release ManagementAI 6AI 6.7Software Release Policy
Basic conceptsAI 6AI 6.7Software Release Policy
Benefits and possible problemsAI 6AI 6.7Software Release Policy
Planning and implementationAI 6AI 6.7Software Release Policy
Process controlAI 6AI 6.7Software Release Policy
Relations to other processesn.a.n.a.n.a.
Tools specific to the Release Management processn.a.n.a.n.a.
Guidance for successful Release ManagementAI 6AI 6.7Software Release Policy