Month: June 2024

NIST SP 800-171

One of the reasons I joined my organization is that I wanted to experience being a Department of Defense contractor. The work Evotec is doing is just super fascinating, so it was hard to resist.

This means I am taking a NIST SP 800-171 crash course as I figure out what it means to comply with Compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clause 252.204-7012. I swear this makes Part 11 look like the kindergarten it is.

NIST SP 800-17 has 110 security requirements across 14 control families, including:

    • Access Control
    • Awareness and Training
    • Audit and Accountability
    • Configuration Management
    • Identification and Authentication
    • Incident Response
    • Maintenance
    • Media Protection
    • Personnel Security
    • Physical Protection
    • Risk Assessment
    • Security Assessment
    • System and Communications Protection
    • System and Information Integrity

    It spells out self-assessment and implementation of the security requirements. Organizations must:

      • Form an assessment team
      • Create an assessment plan
      • Collect relevant documents and evidence
      • Assess individual requirements
      • Create a plan of action for unmet requirements
      • Develop a System Security Plan (SSP)

      Here’s a comparison of NIST SP 800-171 and ISO 27001 presented in a table format:

      AspectNIST SP 800-171ISO 27001
      PurposeProtect Controlled Unclassified Information (CUI) in non-federal systemsProvide framework for Information Security Management System (ISMS)
      ScopeFocused on data security for CUIBroader approach to overall information security management
      OriginU.S. National Institute of Standards and TechnologyInternational Organization for Standardization
      Primary UsersU.S. Department of Defense contractors and subcontractorsOrganizations worldwide seeking robust information security
      CertificationNo formal certification processOffers formal certification through third-party audits
      Structure110 security requirements across 14 families114 controls across 14 domains (Annex A)
      FlexibilityPrescriptive requirementsMore flexible, risk-based approach
      Mandatory ControlsAll requirements are mandatoryNo mandatory controls; risk-based selection
      International RecognitionPrimarily recognized in the U.S.Globally recognized standard
      CostGenerally less expensive to implementCan be more costly due to certification process
      Maturity ModelDoes not include a maturity modelDoes not include a maturity model (but compatible with other maturity models)
      DocumentationLess extensive documentation requirementsExtensive documentation requirements
      Regulatory ComplianceSpecific to U.S. DoD contractsCan be adapted to various regulatory requirements
      comparison of NIST SP 800-171 and ISO 27001

      Cleaning Validation Checklist

      I’m reviewing the status of cleaning validation. Here is the list I’m currently going through, just in case it helps others.

      1. Develop a comprehensive cleaning validation master plan that outlines your overall approach, policies, and procedures for cleaning validation at your facility. This should cover all aspects of the cleaning validation lifecycle.
      2. Ensure you have written standard operating procedures (SOPs) for equipment cleaning processes that address different scenarios (e.g., cleaning between batches, between product changes, etc.).
      3. Have written cleaning validation protocols for each piece of equipment that cover common issues like sampling procedures and analytical methods.
      4. Maintain thorough documentation of your cleaning validation studies, including the protocols, results, and final reports stating whether the cleaning process for each piece of equipment is valid.
      5. Implement a continuous verification program for routine residue monitoring after initial cleaning validation.
      6. Be prepared to demonstrate that your cleaning procedures can consistently clean equipment to predetermined standards using scientifically sound sampling and analytical test methods.
      7. Have data available to support your rationale for residue limits, which should be logical, practical, achievable, and verifiable.
      8. Be ready to explain your approach for different types of equipment (dedicated vs. multi-use) and how you handle potent compounds or other high-risk materials.
      9. Review your cleaning agent selection process and be able to justify the cleaning methods and agents used.
      10. Ensure you have a system in place for equipment maintenance and cleaning records.
      11. Be prepared to discuss how you handle manual vs. automated cleaning processes and any associated validation differences.
      12. Review past audits or inspections and ensure any previous findings related to cleaning validation have been addressed.

      Let me know if I’ve missed anything.

      State of the Blog

      I’ve always been clear to folks when I describe my blogging that I do this for a few reasons:

      1. As a way to clarify my thoughts on a topic, usually before or after a difficult conversation on the topic
      2. To rant about something that is on my mind without causing folks at work to start scurrying to address my ideas as requests for immediate action (has happened more than I would like to admit)
      3. As a way to give back to the profession that has been so good to me
      4. As a way to push the conversation in a direction and help further the profession.

      While it is often good for 1+2, I don’t get enough comments and feedback to know about 3+4.

      Additionally, my writing is often linked to my mental health and happiness at work. Miserable? I disappear for months. Feeling good about things? I write a ton.

      I set myself a goal this month to write a little every day. The funny thing is, it didn’t move the needle in metrics at all.

      I don’t have any comparisons, so I have no idea if this number of views is good. But seriously, a blog post I wrote 3 years ago (that needs to be cleaned up) is my most viewed post month after month.

      I’m considering what to do after my little month-long experiment wraps up soon. No matter what, I think the blog’s public-thinking nature will continue. But I am asking myself, “Do I want more out of the blog?”

      The Lack of Objectivity in Quality Management

      ICH Q9(r1) can be reviewed as a revision that addresses long-standing issues of subjectivity in risk management. Subjectivity is a widespread problem throughout the quality sphere, posing significant challenges because it introduces personal biases, emotions, and opinions into decision-making processes that should ideally be driven by objective data and facts.

      • Inconsistent Decision-Making: Subjective decision-making can lead to inconsistencies because different individuals may have varying opinions and biases. This inconsistency can result in unpredictable outcomes and make it challenging to establish standardized processes. For example, one manager might prioritize customer satisfaction based on personal experiences, while another might focus on cost-cutting, leading to conflicting strategies within the same organization.
      • Bias and Emotional Influence: Subjectivity often involves emotional influence, which can cloud judgment and lead to decisions not in the organization’s best interest. For instance, a business owner might make decisions based on a personal attachment to a product or service rather than its market performance or profitability. This emotional bias can prevent the business from making necessary changes or investments, ultimately harming its growth and sustainability.
      • Risk Management Issues: In risk assessments, subjectivity can significantly impact the identification and evaluation of risks. Subjective assessments may overlook critical risks or overemphasize less significant ones, leading to inadequate risk management strategies. Objective, data-driven risk assessments are essential to accurately identify and mitigate potential threats to the business. See ICHQ9(r1).
      • Difficulty in Measuring Performance: Subjective criteria are often more complicated to quantify and measure, making it challenging to track performance and progress accurately. Objective metrics, such as key performance indicators (KPIs), provide clear, measurable data that can be used to assess the effectiveness of business processes and make informed decisions.
      • Potential for Misalignment: Subjective decision-making can lead to misalignment between business goals and outcomes. For example, if subjective opinions drive project management decisions, the project may deviate from its original scope, timeline, or budget, resulting in unmet objectives and dissatisfied stakeholders.
      • Impact on Team Dynamics: Subjectivity can also affect team dynamics and morale. Decisions perceived as biased or unfair can lead to dissatisfaction and conflict among team members. Objective decision-making, based on transparent criteria and data, helps build trust and ensures that all team members are aligned with the business’s goals.

      Every organization I’ve been in has a huge problem with subjectivity, and I’m confident in asserting none of us are doing enough to deal with the lack of objectivity, and we mostly rely on our intuition instead of on objective guidelines that will create unambiguous, holistic, and
      universally usable models.

      Understand the Decisions We Make

      Every day, we make many decisions, sometimes without even noticing it. These decisions fall into four categories:

      • Acceptances: It is a binary choice between accepting or rejecting;
      • Choices: Opting for a subset from a group of alternatives;
      • Constructions: Creating an ideal solution given accessible resources;
      • Evaluations: Here, commitments back up the statements of worth to act

      These decisions can be simple or complex, with manifold criteria and several perspectives. Decision-making is the process of choosing an option among manifold alternatives.

      The Fallacy of Expert Immunity is a Major Source of Subjectivity

      There is a widely incorrect belief that experts are impartial and immune to biases. However, the truth is that no one is immune to bias, not even experts. In many ways, experts are more susceptible to certain biases. The very making of expertise creates and underpins many of the biases.  For example, experience and training make experts engage in more selective attention, use chunking and schemas (typical activities and their sequence), and rely on heuristics and expectations arising from past base rate experiences, utilizing a whole range of top-down cognitive processes that create a priori assumptions and expectations.

      These cognitive processes often enable experts to make quick and accurate decisions. However, these mechanisms also create bias that can lead them in the wrong direction. Regardless of the utilities (and vulnerability) of such cognitive processing in experts, they do not make experts immune from bias, and indeed, expertise and experience may actually increase (or even cause) certain biases. Experts across domains are subject to cognitive vulnerabilities.

      Even when experts are made aware of and acknowledge their biases, they nevertheless think they can overcome them by mere willpower. This is the illusion of control. Combating and countering these biases requires taking specific steps—willpower alone is inadequate to deal with the various manifestations of bias.

      In fact, trying to deal with bias through the illusion of control may actually increase the bias due to “ironic processing” or “ironic rebound.” Hence, trying to minimize bias by willpower makes you think of it more and increases its effect. This is similar to a judge instructing jurors to disregard specific evidence. By doing so, the judge makes the jurors notice this evidence even more.

      Such fallacies’ beliefs prevent dealing with biases because they dismiss their powers and existence. We need to acknowledge the impact of biases and understand their sources to take appropriate measures when needed and when possible to combat their effects.

      FallacyIncorrect Belief
      Ethical IssuesIt only happens to corrupt and unscrupulous individuals, an issue of morals and personal integrity, a question of personal character.
      Bad ApplesIt only happens to corrupt and unscrupulous individuals. It is an issue of morals and personal integrity, a question of personal character.
      Expert ImmunityExperts are impartial and are not affected because bias does not impact competent experts doing their job with integrity.
      Technological ProtectionUsing technology, instrumentation, automation, or artificial intelligence guarantees protection from human biases.
      Blind SpotOther experts are affected by bias, but not me. I am not biased; it is the other experts who are biased.
      Illusion of ControlI am aware that bias impacts me, and therefore, I can control and counter its affect. I can overcome bias by mere willpower.
      Six Fallacies that Increase Subjectivity

        Mitigating Subjectivity

        There are four basic strategies to mitigate the impact of subjectivity.

        Data-Driven Decision Making

        Utilize data and analytics to inform decisions, reducing reliance on personal opinions and biases.

        • Establish clear metrics with key performance indicators (KPI), key behavior indicators (KBI), and key risk indicators (KRI) that are aligned with objectives.
        • Implement robust data collection and analysis systems to gather relevant, high-quality data.
        • Use data visualization tools to present information in an easily digestible format.
        • Train employees on data literacy and interpretation to ensure proper use of data insights.
        • Regularly review and update data sources to maintain relevance and accuracy.

        Standardized Processes

        Implement standardized processes and procedures to ensure consistency and fairness in decision-making.

        • Document and formalize decision-making procedures across the organization.
        • Create standardized templates, checklists, and rubrics for evaluating options and making decisions.
        • Implement a consistent review and approval process for major decisions.
        • Regularly audit and update standardized processes to ensure they remain effective and relevant.

        Education, Training, and Awareness

        Educate and train employees and managers on the importance of objective decision-making and recognizing and minimizing personal biases.

        • Conduct regular training sessions on cognitive biases and their impact on decision-making.
        • Provide resources and tools to help employees recognize and mitigate their own biases.
        • Encourage a culture of open discussion and constructive challenge to promote diverse perspectives.
        • Implement mentoring programs to share knowledge and best practices for objective decision-making.

        Digital Tools

        Leverage digital tools and software to automate and streamline processes, reducing the potential for subjective influence. The last two is still more aspiration than reality.

        • Implement workflow management tools to ensure consistent application of standardized processes.
        • Use collaboration platforms to facilitate transparent and inclusive decision-making processes.
        • Adopt decision support systems that use algorithms and machine learning to provide recommendations based on data analysis.
        • Leverage artificial intelligence and predictive analytics to identify patterns and trends that may not be apparent to human decision-makers.

        The GAMP5 System Owner and Process Owner and Beyond

        Defining the accountable individuals in a process is critical. In GAMP5, the technical System Owner role is distinct from the business Process Owner role, which focuses more on the system’s business process and compliance aspects.

        The System Owner

        The System Owner is responsible for the computerized system’s availability, support, and maintenance throughout its lifecycle. The System owner is the technical side of the equation and is often an IT director/manager or application support manager. Key responsibilities include:

        • Defining, reviewing, approving, and implementing risk mitigation plans
        • Ensuring technical requirements are documented
        • Managing change control for the system
        • Conducting evaluations for change requests impacting security, maintainability, data integrity, and architecture
        • Performing system administration tasks like user and privilege maintenance
        • Handling system patching, documentation of issues, and facilitating vendor support

        Frankly, I think too many organizations make the system owner too low level. These lower-level individuals may perform system admin tasks and handle systems patching, but the more significant risk questions require extensive experience.

        The System Owner focuses on the technical aspects of validation and ensures adequate procedural controls are in place after validation to maintain the validated state and protect data integrity.

        The system owner requires learning and understanding new products and complex system architectures. They are the architect and need to be in charge of the big picture.

        The Process Owner

        In the context of GAMP5, a Process Owner plays a crucial role in the lifecycle management of computerized systems used in regulated industries such as pharmaceuticals and biotechnology. The Process Owner is ultimately accountable for the system’s implementation, validation, and ongoing compliant use.

        I’ve written a lot about Process Owners. This use of process owner is 100% aligned with previous thinking.

        Key Responsibilities of a Process Owner

        1. System Implementation and Validation: The Process Owner ensures the system is implemented and validated according to regulatory requirements and company policies. This includes overseeing the creation and maintenance of validation documentation and ensuring the system meets its intended use.
        2. Ongoing Compliance and Maintenance: The Process Owner must ensure the system remains validated throughout its lifecycle. This involves regular reviews, updates, and maintenance activities to ensure continued compliance with regulatory standards.
        3. Data Integrity and Quality: As the data owner maintains the system, the Process Owner is responsible for its integrity, administration, operation, maintenance, and decommissioning. They must ensure that data integrity and quality requirements are met and maintained.
        4. Decision-Making Authority: The Process Owner should be at a level within the organization that allows them to make business and process decisions regarding the system. This often includes roles such as operations director/manager, lab manager, or production manager.
        5. Collaboration with Other Teams: The Process Owner must collaborate with various teams, including Quality (QA), IT, Computer System Validation (CSV), training, HR, system vendors, and system development teams, to ensure that all necessary compliance activities are performed and documented promptly.

        Skills and Knowledge Required

        • Detailed Understanding of the System: The Process Owner should have a comprehensive understanding of the system, its purpose, functions, and use within the organization.
        • Regulatory Knowledge: A good grasp of regulatory requirements is crucial for ensuring the system complies with all relevant guidelines and standards.
        • Validation Practices: The Process Owner will sign off on validation documents and ensure that the system is fit for its intended use.

        Comparison with the Molecule Steward

        While the Molecule Steward, the ASTM E2500 SME role, is not directly equivalent to the GAMP 5 roles, it shares some similarities with both the system owner and process owner, particularly in terms of specialized knowledge and involvement in critical aspects of the system. It’s best to think of the Molecule Steward as the third part of this triad, ensuring the robustness of the scientific approach.

        System OwnerProcess OwnerMolecule Steward
        Primary FocusTechnical aspects and maintenance of the systemBusiness process and compliance aspectsSpecialized knowledge of critical aspects
        Typical RoleIT director/manager or application support managerHead of functional unit or department using the systemSubject matter expert in specific field
        Key Responsibilities– System availability, support, and maintenance
        – Data security
        – Risk mitigation plans
        – Technical requirements documentation
        – Change control management
        – Evaluating change requests        		– Overall system integrity and compliance
        – Data ownership
        – User requirements definition
        – SOP development and maintenance
        – Ensuring GxP compliance
        – Approving key documentation
        – User training        		– Defining system needs
        – Identifying critical aspects
        – Leading quality risk management
        – Developing verification strategies
        – Reviewing system designs
        – Executing verification tests
        ExpertiseStrong technical backgroundBusiness process knowledgeSpecialized technical knowledge
        AccountabilitySystem performance and securityBusiness use and regulatory complianceCritical aspects impacting product quality and patient safety
        Involvement in ValidationFocuses on technical validation aspectsEnsures validation meets business needsLeads verification activities
        Comparison of SO, PO and ASTM E2500 SME

        Scale of the System

        People make the system too small here. This isn’t equipment A or computer system X. It’s the entire system that produces result Y. For example, it is the manufacturing process for DS (or upstream DS), not the individual bioreactors. Lower-level assistants can help with wrangling, but there should be overall accountability. The system, process, and ASTM E2500 SME must have the power in the organization to be truly accountable.

        The Role of Quality

        The Quality Unit is responsible for ensuring the right process and procedure are in place, that regulatory requirements are met, and that the system is fit for use and fit for purpose. The Quality Unit in GAMP5 is crucial for ensuring the safety, efficacy, and regulatory compliance of pharmaceutical products and computerized systems.

        1. Ensuring Compliance and Product Quality: Quality is vital in ensuring that computerized systems used in pharmaceutical manufacturing meet regulatory requirements and consistently produce high-quality products. The Quality Unit helps organizations maintain high-quality standards in the various processes.
        2. Risk Management: The Quality Unit champions a science-based risk management approach to system validation and qualification. Quality ensures the identification and assessment of potential risks.
        3. Lifecycle Approach: The Quality Unit ensures that validation activities are conducted throughout the system’s lifecycle, from concept to retirement.
        4. Documentation and Traceability: The Quality Unit oversees comprehensive documentation and traceability throughout the system’s lifecycle. Detailed records enable transparency, facilitate audits, and demonstrate compliance with regulatory requirements.
        5. Change Management: The Quality Unit evaluates and controls system changes to ensure that modifications do not compromise product quality or patient safety.
        6. Data Integrity: Quality is crucial in maintaining data integrity and ensuring records’ accuracy, reliability, and completeness.
        7. Supplier and Internal Audits: Quality regularly audits suppliers and internal processes to ensure compliance and quality. These audits help identify gaps and areas for improvement in system development, implementation, and maintenance.

        Beyond GAMP5

        I consider this the best practice for handling an ASTM E2500 approach.