The 80/20 Rule
Initiating a data governance project at any given site around the world has to start with a problem statement. Without this, the project will likely die a slow and painful death because no one is really sure what was the project was all about in the first place… Folks will likely think (or even verbalize): “don’t we already have a data integrity program in place”? The answer is likely yes, it just isn’t very good. In reality, no one is happy with the level of audit trail review, data reconciliation, or witnessing burdens that are placed on staff members. In my experience, the problem statement is [nearly] universal: the current DI program is not truly “risk based” and therefore likely failing regulatory expectations: hence the continuous stream of 483s citing deficiencies to 21 CFR Part 211.68. Semi-structured DI checklists simply fail to do the job we ask of them (it’s not their fault, don’t blame the checklist!) due to their failure to connect with the process “workflow” (see FDA DI Guidance Q3). On this blog page, I have already written about the two tools used to establish data governance: 1) data/process mapping and 2) qualitative risk assessments using the principles of a) severity and b) vulnerability. In our data governance workshops, we now use AI tools to assist with rapid generation of data/process maps, which is a game changer… I am not going to address this point in this blog entry, but rather the second, more difficult tool: qualitative risk assessments. AI can assist here as well, although the human is much more integrated and critical the process outcome.
The purpose of this blog entry is to address the main roadblock to achieving rapid/agile risk assessments: the problem of when the risk assessment complete? If you were tasked with performing a risk assessment for driving to the grocery store, you could identify, evaluate and attempt to control an unlimited number of hazards… For example, the hazard: “large hailstorm forms and shatters windshield”. You could, in theory, evaluate the risk, and put in controls in place such as install bullet-proof glass. This would reduce the risk of this hazard causing a failure to the process. The list of hazards is in reality to infinity and beyond, however, this would cause what we call “perfection paralysis”, and your refrigerator would quickly run out of goods (unless you live in a city with a delivery service).
As a result of this risk-reality, we as humans often follow the 80/20 rule, including within the science of project management. For example, 80% of a project’s benefits are likely achieved via 20% of the existing efforts. The remaining 80% of effort is only achieving 20% of the project’s benefits. In the GXP realm, this is also likely to be true! Most of our patient safety/quality assurance is achieved via just a few actions performed by operations/QA staff. In the DI world, this is simply those actions that ensure the 1) accuracy and 2) completeness of data.
So how can we take this fundamental and well established principle of project management and put it to use in our data governance program? The answer is clear, focus on the big stuff, and don’t sweat the small stuff (sorry for the cliche but it is just too appropriate!). Remember that the majority of your risk is covered by evaluating just a few process hazards, and that is sufficient. If you have a gap in the big stuff (e.g. lack of access controls), focus your limited resources on fixing those using innovative and possibly non-traditional GXP technology, instead of wasting efforts on an encyclopedia-style risk assessment that burns the midnight oil and leaves everyone exhausted. There is no gas in the tank to fix - it was all expended assessing… If you miss something small, don’t worry - trending, deviations, or CPV will catch it, and it can be addressed then and there - therein lies the beauty of a lifecycle approach to validation. Remember that the vast majority of risk exists within just a few hazards, and you are not likely to miss those. The patient expects medicines that are safe [obviously] but also affordable. Keep the 80/20 rule in mind, and your organization will thrive. Give yourself a timeframe to complete the risk assessment (my advice = 4 hours maximum) - and stick to it.
As a Texan, I am [obviously] a country music fan. If you need a little motivation here, just listen to the incredible song by Kevin S. Wilson - Don't Sweat The Small Stuff. Listen as a group before you start the risk assessment, you will crush it!
Pete
