I am looking forward to speaking at the GxP Cloud Compliance Summit in Boston in September on Implementing a Lifecycle Risk Management Approach to the Cloud. I’ll be discussing some of my favorite topics:
Best practices to harness a life cycle risk management approach to protect product quality and patient data
What does a living risk assessment look like when key parts of your IT infrastructure is maintained by cloud service providers
How does Q9 R1 impact functional and usage assessments around cloud applications
I am looking forward to meeting and discussing some of the critical questions in our heady embrace of the cloud.
Cloud based GxP systems have shifted in the last few years from “Something I guess we should figure out” to “Well guess we have it now” to “Well that is all I seem to have now.” And where 5 years ago it seemed we were obsessed about the fine details of Open vs Closed systems and what cloud-based applications are, we are now looking at much more mature questions around a risk based strategy that evaluates and ensures appropriate controls around Data Integrity, Privacy, and Security. Through a risk-based approach, we drive activities such as auditing, change control, qualification/validation, and oversight.
I am looking forward to having this discussion with my peers and sharing best practices and experiences. It is only though this type of event that we can grow as a professional.
Engaging with knowledge and Knowledge Management are critical parts of development. The ability to navigate the flood of available data to find accurate information is tied directly to individuals’ existing knowledge and their skills at distinguishing credible information from misleading content.
There is ample evidence that many individuals lack the ability to accurately judge their understanding or the quality and accuracy of their performance (i.e., calibration). To truly develop our knowledge, we need to be engaged in deliberative practice. But to truly calibrate requires feedback, guidance, and coaching that you may not have access to within our organizations. This requires effort and deliberate building of a system and processes.
Information can be found with little mental effort but without critical analysis of its legitimacy or validity, the ease of information can actually work against the development of deeper-processing strategies. It is really easy to go-online and get an answer, but unless learners put themselves in positions to struggle cognitively with an issue, and unless they have occasions to transform or reframe problems, their likelihood of progressing into competence is jeopardized.
The more learners forge principled knowledge in a professional domain, the greater their reported interest in and identity with that field. Therefore, without the active pursuit of knowledge, these individuals’ interest in professional development may wane and their progress toward expertise may stall. This is why I find professional societies so critical, and why I am always pushing people to step up.
My constant goal as a mentor is to help people do the following:
Refuse to be lulled into accepting a role as passive consumers of information, striving instead to be active producers of knowledge
Probe and critically analyze the information they encounter, rather than accepting quick, simple answers
Forge a meaningful interest in the profession and personal connections to members of professional communities, instead of relying on moment-by-moment stimulation and superficial relationships
If we are going to step up to the challenges ahead of us, to address the skill gaps we are seeing, we each need to be deliberate in how we develop and deliberate in how we build our organizations to support development.
Risk management is a crucial aspect of any organization or project. However, it is often subject to human errors in subjective risk judgments. This is because most risk assessment methods rely on subjective inputs from experts. Without certain precautions, experts can make consistent errors in judgment about uncertainty and risk.
There are methods that can correct the systemic errors that people make, but very few organizations implement them. As a result, there is often an almost universal understatement of risk. We need to keep in mind a few rules about experience and expertise.
Experience is a nonrandom, nonscientific sample of events throughout our lifetime.
Experience is memory-based and we are very selective regarding what we choose to remember,
What we conclude from our experience can be full of logical errors
Unless we get reliable feedback on past decisions, there is no reason to believe our experience will tell us much.
No matter how much experience we accumulate, we seem to be very inconsistent in its application.
Experts have unconscious heuristics and biases that impact their judgment, some important ones include:
Misconceptions of chance: If you flip a coin six times, which result is more likely (H= heads, T= tails): HHHTTT or HTHTTH? They are both equal, but many people assume that because the first series looks “less random” than the second, it must be less likely. This is an example of representativeness bias. We appear to judge odds based on what we assume to be representative scenarios. Human beings easily confuse patterns and randomness.
The conjunction fallacy: We often see specific events as more likely than broader categories of events.
Irrational belief in small samples
Disregarding variance in small samples. Small samples have more random variance that large samples is considered less than it should be.
Insensitivity to prior probabilities: People tend to ignore the past and focus on new information when making subjective estimates.
This is all about overconfidence as an expert, which will consistently underestimate risks.
What are some ways to overcome this? I recommend the following be built into your risk management system.
Pretend you are in the future looking back at failure. Start with the assumption that a major disaster did happen and describe how it happened.
Look to risks from others. Gather a list of related failures, for example, regulatory agency observations, and think of risks in relation to those.
Include Everyone. Your organization has numerous experts on all sorts of specific risks. Make the effort to survey representatives of just about every job level.
Do peer reviews. Check assumptions by showing them to peers who are not immersed in the assessment.
Implement metrics for performance. The Brier score is a way to evaluate the result of predictions both by how often the team was right and by the probability the estimated for getting a correct answer.
Further Reading
Here are some sources that discuss the topic of human errors and subjective judgments in risk management:
Discussions about Industry 4.0 and Quality 4.0 often focus on technology. However, technology is just one of the challenges that Quality organizations face. Many trends are converging to create constant disruption for businesses, and the Quality unit must be ready for these changes. Rapid changes in technology, work, business models, customer expectations, and regulations present opportunities to improve quality management but also bring new risks.
The widespread use of digital technology has raised the expectations of stakeholders beyond what traditional quality management can offer. As the lines between companies, suppliers, and customers become less distinct, the scope of quality management must expand beyond the traditional value chain. New work practices, such as agile teams and remote work, are creating challenges for traditional quality management governance and implementation strategies. To remain relevant, Quality leaders must adapt to these changes..
Challenge
Means
Impact to Quality Management
How to Prepare
Advanced Analytics
The increase in data sources and improved data processing has led to higher expectations from customers, regulators, business leaders, and employees. They expect companies to use data analytics to provide advanced insights and improve decision-making.
Requires a holistic approach that allows quality professionals to access, analyze and apply insights from structured and unstructured data
Quality excellence will be determined by how quickly data can be captured, analyzed, shared and applied
Develop a talent strategy to recruit, develop, rent or borrow individuals with data analytics capabilities, such as data science, coding and data visualization
Hyper-Automation
To become more efficient and agile in a competitive market, companies will increasingly use technologies like RPA, AI, and ML. These technologies will automate or enhance tasks that were previously done by humans. In other words, if a task can be automated, it will be.
How to ensure these systems meet intended use and all requirements
Algorithm-error-generated root causes
Develop a hyperautomation vision for quality management that highlights business outcomes and reflects the use cases of relevant digital technology
Perform a risk-based assessment with appropriate experts to identify critical failure points in machine and algorithm decision making
Virtualization of Work
The shift to remote work due to COVID-19, combined with advancements in cloud computing and AR/VR technology, will make work increasingly digital.
Rethink how quality is executed and governed in a digital environment.
Evaluate current quality processes for flexibility and compatibility with virtual work and create an action plan.
Uncover barriers to driving a culture of quality in a virtual working environment and incorporate virtual work-relevant objectives, metrics and activities into your strategy.
Shift to Resilient Operations
Prioritizing capabilities that improve resilience and agility.
Adapt in real-time to changing and simultaneously varying levels of risk without sacrificing the core purpose of Quality
Enable employees to make faster decisions without sacrificing quality by developing training to build quality-informed judgment and embedding quality guidance in employee workflows.
Identify quality processes that may prevent operational resilience and reinvent them by starting from scratch, ruthlessly challenging the necessity of every step and requirement.
Ensure employees and new hires have the right skill sets to design, build and operate a responsive network environment.
Rise of Inter-connected Ecosystems
The growth of interconnected networks of people, businesses, and devices allows companies to create value by expanding their systems to include customers, suppliers, partners, and other organizations.
Greater connectivity between customers, suppliers, and partners provides more visibility into the value chain. However, it also increases risk because it can be difficult to understand and manage different views of quality within the ecosystem.
Map out the entire quality management ecosystem model and its participants, as well as their interactions with customers.
Co-develop critical-to-quality behaviors with strategic partners.
Strengthen relationships with partners across the ecosystem to capture and leverage relevant information and data, while at the same time addressing data privacy concerns.
Digitally Native Workforce
Shift from digital immigrants (my generation and older) to digital natives who are those people who have grown up and are comfortable with computers and the internet. Unlike other generations, digital natives are so used to using technology in all areas of their lives that it is (and always has been) an integral, necessary part of their day-to-day.
Increased flexibility leads to a need to rethink the way we monitor, train, and incentivize quality.
Connecting the 4 Ps: People, Processes, Policies and Platforms
Identify and target existing quality processes to digitize to offer desired flexibility.
Adjust messages about the importance of quality to connect with values employees care about (e.g., autonomy, innovation, social issues).
Customer Expectation Multiplicity
Customer expectations evolve quickly and expand into new-in-kind areas as access to information and global connectedness increases.
Develop product portfolios, internal processes and company cultures that can quickly adapt to rapidly changing customer expectations for quality.
Identify where hyperautomation and predictive capabilities of quality management can enhance customer experience and prevent issues before they occur.
Increasing Regulatory Complexity
The global regulatory landscape is becoming more complex as countries introduce new regulations at different rates. Increased push for localization.
Need strong system to efficiently implement changes across different systems, locations, and regions while maintaining consistent quality management throughout the ecosystem.
Coordinate a structured regulatory tracking approach to monitor changing regulatory developments — highly regulated industries require a more comprehensive approach compared to organizations in a moderate regulatory environment
Challenges to Quality Management
The traditional Value Proposition of quality management is no longer sufficient to meet the expectations of stakeholders. With the rise of a digitally native workforce, there are new expectations for how work is done and managed. Business leaders expect quality leaders to have full command of operational data, diagnosing and anticipating quality problems. Regulators also expect high data transparency and traceability.
The value proposition of quality management lies in predicting problems rather than reacting to them. The primary objective of quality management should be to find hidden value by addressing the root causes of quality issues before they manifest. Quality organizations who can anticipate and prevent operational problems will meet or exceed stakeholder expectations.
Our organizations are on a journey towards utilizing predictive capabilities to unlock value, rather than one that retroactively solves problems. Our scope needs to be based on quality being predictive, connected, flexible, and embedded. For me this is the heart of Qualty 4.0.
Quality management should be applied across a multitude of systems, devices, products, and partners to create a seamless experience. This entails transforming quality from a function into an interdisciplinary, participatory process. The expanded scope will reach new risks in an increasingly complex ecosystem. The Quality unit cannot do this on its own; it’s all about breaking down silos and building autonomy within the organization.
To achieve this transformation, we need to challenge ourselves to move beyond top-down and regimented Governance Models and Implementation Strategies. We need to balance our core quality processes and workflows to achieve repeatability and consistency while continually adjusting as situations evolve. We need to build autonomy, critical thinking, and risk-based thinking into our organizational structures.
One way to achieve this is by empowering end-users to solve their own quality challenges through participatory quality management. This encourages personal buy-in and enables quality governance to adapt in real-time to different ways of working. By involving end-users in the process of identifying and solving quality issues, we can build a culture of continuous improvement and foster a sense of ownership over the quality of our products and services.
The future of quality management lies in being predictive, connected, flexible, and embedded.
Predictive: The value proposition of quality management needs to be predicting problems over problem-solving.
Connected: The scope of quality management needs to extend beyond the value chain and connect across the ecosystem
Flexible: The governance model needs to be based on an open-source model, rather than top-down.
Embedded: The implementation strategy needs to shift from viewing quality as a role to quality as a skill.
By embracing these principles and involving all stakeholders in the process of continuous improvement, we can unlock hidden value and exceed stakeholder expectations.
Deaing with these challenges and implications requires the Quality organization to treat transformation like a Program. This program should have four main initiative areas:
Build the capacity for targeted prevention through targeted data insights. This includes building alliances with IT and other teams to have the right data available in flexible ways but it also includes the building of capacity to actually use the data.
Expand quality management to cover the entire value network.
Localize Risk Management to Make Quality Governance Flexible and Open Source.
Distribute Tasks and Knowledge to Embed Quality Management in the Business.
Across these pillars the program approach will:
Assess the current state: Identify areas requiring attention and improvement by examining existing People, Processes, Policies and Platforms. This comprehensive assessment will provide a clear understanding of the organization’s current situation and help pinpoint areas where projects can have the most significant impact
Establish clear objectives: Establish clear objectives to h provide a clear roadmap for success.
Prioritize foundational elements: Prioritize building foundational elements. Avoid bells-and-whistles for their own sake.
Develop a phased approach: This is not an overnight process. Develop a phased approach that allows for gradual implementation, with clear milestones and measurable outcomes. This ensures that the organization can adapt and adjust as needed while maintaining ongoing operations and minimizing disruptions.
Collaborate with stakeholders: Engage stakeholders from across the organization,to ensure alignment and buy-in. Create a shared vision for the initiative to ensure that everyone is working towards the same goals. Regular communication and collaboration among stakeholders will foster a sense of ownership and commitment to the transformation process.
Continuously monitor progress: Regularly review the progress, measuring outcomes against predefined objectives. This enables organizations to identify any potential issues or roadblocks and make adjustments as necessary to stay on track. Establishing key performance indicators (KPIs) will help track progress and determine the effectiveness of the Program.
Embrace a culture of innovation: Encourage a culture that embraces innovation and continuous improvement. This helps ensure that the organization remains agile and adaptive, making it better equipped to take advantage of new technologies and approaches as they emerge. Fostering a culture of innovation will empower employees to seek out new ideas and solutions, driving long-term success.
Invest in employee training and development: It is crucial to provide employees with the necessary training and development opportunities to adapt to new technologies and processes. This will ensure that employees are well-equipped to handle the changes brought about by these challenges and contribute to the organization’s overall success.
Evaluate and iterate: As the Program unfolds, it is essential to evaluate the results of each phase and make adjustments as needed. This iterative approach allows organizations to learn from their experiences and continuously improve their efforts, ultimately leading to greater success.
The pharmaceutical regulations call, repeatedly for business continuity plans. For example, the FDA calls for fairly significant requirements for Medically Necessary Products:
Medically necessary drug products and their components are manufactured all over the world. An emergency situation anywhere in the world thus might affect the availability of drug products in the United States and result in drug shortages. Emergency preparedness for situations that could result in high employee absenteeism is an important goal for manufacturers of drug products and their components. For example, in an influenza pandemic, widespread human outbreaks of illness would be expected in the United States and around the world, resulting in widespread high absenteeism that could hinder normal production activities and cause shortages in the supply of drug products, packaging materials, and drug components. It is therefore vital for industry to prepare before an emergency situation occurs and to develop plans to ensure continuity of operations during emergencies (including, for example, an influenza pandemic, natural disaster, or personnel issue) that would prevent a significant portion of the work force from reporting. It is especially important for manufacturers of finished drug products to be aware of their suppliers’ and contractors’ responses to personnel shortages and, when appropriate, work with them to ensure the availability of high quality materials and services that contribute to the manufacture of MNPs.
You can find less definitive requirements throughout the various health authorities’ regulations and guidances.
So what do we mean by business continuity?
Business continuity is the holistic management process that ensures operations continue and that products and services are delivered at predefined levels (e.g. no shortages, no halt to an ongoing clinical trial). This approach is aligned with ISO 22301 Business Continuity Management Systems.
Business continuity management is an ongoing process based on the plan-do-check-act methodology that is made up of 4 key elements:
Emergency Action and Response Plans
Disaster Recovery Plans
Crisis Management Plans
Business Continuity Plans
Emergency Action Plans
An emergency action plan is designed to respond to an emergency with mitigating procedures to protect, secure and evacuate people to safety. This is more an OSHA thing; chances are your average Quality unit doesn’t end up owning it. Unless you have no HS&E unit, and then you write one.
This plan includes procedures for detecting, warning, and responding to specific potential emergencies such as fire, severe weather, earthquake, medical emergencies, workplace violence, and other potential threats.
Disaster Recovery Plan
Disaster recovery plans are designed to recover from a disaster, usually related to equipment, infrastructure, and information technology. Something big goes boom, how do you restore this vital support system or equipment as soon as possible and minimize downtime and loss of data. Very important for computer system lifecycle, disaster recovery plans should include specific plans for recovery functions, resumption strategies, critical personnel, equipment, services, and external and internal communications.
Crisis Management Plans
Crisis management is all about planning and mitigating situations that have risk, and are usually a lot of management of communications internally and externally. This includes with regulators, health care providers, etc. When we implement SOPs for health authority notifications we are engaging in crisis management planning.
Business Continuity Plans
Business continuity planning identifies and plans for disasters to events that could negatively an organization’s business functions, objectives, income, reputation, and ultimate survival. This planning takes place in advance of the potential disasters or events that could harm an organization. It takes potential disasters and events into consideration with their effects on suppliers, vendors customers, and the organization’s other stakeholders.
In a GxP environment, we are looking at the potential impact of disasters on drug supply and clinical study outcomes (amongst other key activities).
The BCP is all about minimizing the effects of the disaster or event on the organization and returning to normal operations as soon as possible.
These Plans are Interrelated
All four plans are interrelated and should be coordinated. The plans can be combined, but as there are usually very different owners they are often separated.
Documented Plans
The business continuity planning process should result in formal, documented plans that serve as a reference guide in the event of a disaster or event. The existence of the business continuity plans should be well communicated, with individuals with responsibilities having ready access and additional training.
Applying the Risk Management Process
The Business Continuity process should leverage existing risk assessments and sit around it.
Select Team
The team should be multifunctional and very knowledgeable about the organization’s business and the risks it faces. This should be a permanent team, not ad hoc, as this is a living process. You can always bring in ad hoc members for specific questions.
Define Context, Purpose, Scope
At a minimum you are tackling the disruption to product supply and cessation of critical GxP data but there may be other business requirements to tackle. Make sure everyone agrees on these.
Define Terminology
Make sure everyone is on the same page with just what disaster, event, crisis, stakeholder, and business continuity plan (and other important concepts) are.
Agree on the scales for likelihood and severity.
Critical Function Assessment
Identify the business functions that are sensitive to downtime, fulfill regulatory obligations and are vital for maintaining product supply.
Threat Assessment
Identify the threats to the performance of the critical functions.
Utilize a risk matrix to assess the likelihood and severity of the identified hazards and risks.
Develop Business Continuity Plan(s)
After the hazards and risks have been identified, the impact understood and the risks assessed it is time to develop the business continuity plan (BCP). The BCP allows the organziation to survive the event or disaster with minimal disruption. The BCP focuses on mitigating the consequences of the event or disaster that could not be prevented. Recovery strategies for these cosnequences are determined, developed and become part of the BCP.
When many potential risks have been identified, use the risk score to prioritize.
BCPs cover management commitment, team ientification, team responsibilities, mitigation plans, recovery strategies, training, testing and evaluation and continious improvement. Basically the same thing any good plan does.
Mitigation plans are intended to lessen the negative effectis of an event or disaster.
Provide appropriate awareness training to everyone impacted, with more substantial trining to the BCP team.
Verify it periodically and ensure it is continues to be relevant.
Whenever relevant, procceduralize these BCP instructions.
Investigations of a Dog 