Tag: pandemic

Business Continuity Planning

The pharmaceutical regulations call, repeatedly for business continuity plans. For example, the FDA calls for fairly significant requirements for Medically Necessary Products:

Medically necessary drug products and their components are manufactured all over the world. An emergency situation anywhere in the world thus might affect the availability of drug products in the United States and result in drug shortages. Emergency preparedness for situations that could result in high employee absenteeism is an important goal for manufacturers of drug products and their components. For example, in an influenza pandemic, widespread human outbreaks of illness would be expected in the United States and around the world, resulting in widespread high absenteeism that could hinder normal production activities and cause shortages in the supply of drug products, packaging materials, and drug components. It is therefore vital for industry to prepare before an emergency situation occurs and to develop plans to ensure continuity of operations during emergencies (including, for example, an influenza pandemic, natural disaster, or personnel issue) that would prevent a significant portion of the work force from reporting. It is especially important for manufacturers of finished drug products to be aware of their suppliers’ and contractors’ responses to personnel shortages and, when appropriate, work with them to ensure the availability of high quality materials and services that contribute to the manufacture of MNPs.

FDA, Guidance for Industry Planning for the Effects of High Absenteeism to Ensure Availability of Medically Necessary Drug Products

You can find less definitive requirements throughout the various health authorities’ regulations and guidances.

So what do we mean by business continuity?

Business continuity is the holistic management process that ensures operations continue and that products and services are delivered at predefined levels (e.g. no shortages, no halt to an ongoing clinical trial). This approach is aligned with ISO 22301 Business Continuity Management Systems.

Business continuity management is an ongoing process based on the plan-do-check-act methodology that is made up of 4 key elements:

  • Emergency Action and Response Plans
  • Disaster Recovery Plans
  • Crisis Management Plans
  • Business Continuity Plans

Emergency Action Plans

An emergency action plan is designed to respond to an emergency with mitigating procedures to protect, secure and evacuate people to safety. This is more an OSHA thing; chances are your average Quality unit doesn’t end up owning it. Unless you have no HS&E unit, and then you write one.

This plan includes procedures for detecting, warning, and responding to specific potential emergencies such as fire, severe weather, earthquake, medical emergencies, workplace violence, and other potential threats.

Disaster Recovery Plan

Disaster recovery plans are designed to recover from a disaster, usually related to equipment, infrastructure, and information technology. Something big goes boom, how do you restore this vital support system or equipment as soon as possible and minimize downtime and loss of data. Very important for computer system lifecycle, disaster recovery plans should include specific plans for recovery functions, resumption strategies, critical personnel, equipment, services, and external and internal communications.

Crisis Management Plans

Crisis management is all about planning and mitigating situations that have risk, and are usually a lot of management of communications internally and externally. This includes with regulators, health care providers, etc. When we implement SOPs for health authority notifications we are engaging in crisis management planning.

Business Continuity Plans

Business continuity planning identifies and plans for disasters to events that could negatively an organization’s business functions, objectives, income, reputation, and ultimate survival. This planning takes place in advance of the potential disasters or events that could harm an organization. It takes potential disasters and events into consideration with their effects on suppliers, vendors customers, and the organization’s other stakeholders.

In a GxP environment, we are looking at the potential impact of disasters on drug supply and clinical study outcomes (amongst other key activities).

The BCP is all about minimizing the effects of the disaster or event on the organization and returning to normal operations as soon as possible.

These Plans are Interrelated

All four plans are interrelated and should be coordinated. The plans can be combined, but as there are usually very different owners they are often separated.

Documented Plans

The business continuity planning process should result in formal, documented plans that serve as a reference guide in the event of a disaster or event. The existence of the business continuity plans should be well communicated, with individuals with responsibilities having ready access and additional training.

Applying the Risk Management Process

The Business Continuity process should leverage existing risk assessments and sit around it.

Select Team

The team should be multifunctional and very knowledgeable about the organization’s business and the risks it faces. This should be a permanent team, not ad hoc, as this is a living process. You can always bring in ad hoc members for specific questions.

Define Context, Purpose, Scope

At a minimum you are tackling the disruption to product supply and cessation of critical GxP data but there may be other business requirements to tackle. Make sure everyone agrees on these.

Define Terminology

Make sure everyone is on the same page with just what disaster, event, crisis, stakeholder, and business continuity plan (and other important concepts) are.

Agree on the scales for likelihood and severity.

Critical Function Assessment

Identify the business functions that are sensitive to downtime, fulfill regulatory obligations and are vital for maintaining product supply.

Threat Assessment

Identify the threats to the performance of the critical functions.

Identify Hazards and Risks

There are three major categories of hazards:

  • Natural Hazards
    • Meteorological
    • Geological
    • Biological
  • Human-Caused Hazards
    • Accidents
    • Intentional acts
  • Technological Hazards
    • Information technology
    • Utility
    • Fire/explosion
    • Hazardous material
    • Supply Chain interruption

Utilize a risk matrix to assess the likelihood and severity of the identified hazards and risks.

Develop Business Continuity Plan(s)

After the hazards and risks have been identified, the impact understood and the risks assessed it is time to develop the business continuity plan (BCP). The BCP allows the organziation to survive the event or disaster with minimal disruption. The BCP focuses on mitigating the consequences of the event or disaster that could not be prevented. Recovery strategies for these cosnequences are determined, developed and become part of the BCP.

When many potential risks have been identified, use the risk score to prioritize.

BCPs cover management commitment, team ientification, team responsibilities, mitigation plans, recovery strategies, training, testing and evaluation and continious improvement. Basically the same thing any good plan does.

Mitigation plans are intended to lessen the negative effectis of an event or disaster.

Provide appropriate awareness training to everyone impacted, with more substantial trining to the BCP team.

Verify it periodically and ensure it is continues to be relevant.

Whenever relevant, procceduralize these BCP instructions.

Pandemics and the failure to think systematically

As it turns out, the reality-based, science-friendly communities and information sources many of us depend on also largely failed. We had time to prepare for this pandemic at the state, local, and household level, even if the government was terribly lagging, but we squandered it because of widespread asystemic thinking: the inability to think about complex systems and their dynamics. We faltered because of our failure to consider risk in its full context, especially when dealing with coupled risk—when multiple things can go wrong together. We were hampered by our inability to think about second- and third-order effects and by our susceptibility to scientism—the false comfort of assuming that numbers and percentages give us a solid empirical basis. We failed to understand that complex systems defy simplistic reductionism.

Zeynep Tufekci, “What Really Doomed Americas Coronovirus Response” published 24-Mar-2020 in the Atlantic

On point analysis. Hits many of the themes of this blog, including system thinking, complexity and risk and makes some excellent points that all of us in quality should be thinking deeply upon.

COVID-19 is not a black swan. Pandemics like this have been well predicted. This event is a different set of failures, that on a hopefully smaller scale most of us are unfortunately familiar with in our organizations.

I certainly didn’t break out of the mainstream narrative. I traveled in February, went to a conference and then held a small event on the 29th.

The article stresses the importance of considering the trade-offs between resilience, efficiency, and redundancy within the system, and how the second- and third-order impacts can reverberate. It’s well worth reading for the analysis of the growth of COVID-19, and more importantly our reaction to it, from a systems perspective.