The GxPs – a brief definition

Jargon is something we should work hard to avoid, and yet there is an awful lot of it we find difficult to let go. Right at the top is the GxPs.

GxP is a general abbreviation for the “good practice” quality guidelines and regulations. The “x” stands for the various fields, including the pharmaceutical and food industries, for example good manufacutiring practice, or GMP.

There are a lot of GxPs, though we tend to focus on 5(ish), depending on where you are.

We tend to argue a lot about them. Even to the GxP vs GXP. Or GPvP vs GVP. Or GdocP or GDP (so damn confusing, there is another GDP – Good Distribution Practices). Or if Good Storage Practice is its own body or part of the GMPs and GDPs. And…and…and.. The arguing can be fun.

The Five big ones in pharma and medical devices are GLP, GCP, GMP, GDP and GPvP. Some of the others like GACP are pretty intesting in their application.

Some like GDocP and GAMP are more specific threads that go across the GxPs.

By nature the GxPs are tied to the phase of the pharmaceutical pipeline.

The GxPs are all about ensuring compliance and are informed from a wide range of sources, starting with law and regulations.

Being in the age of globalization, there are many many sources to draw from.

This can also draw from beyond the health authorities (for example in the US USDA for GACP or the DEA for parts of the GDPs).

At the end of the day, GxPs answer to five important criteria.

EMA Publishes 2021 GCP Compliance Report

The EMA has published the Annual Report of the Good Clinical Practice (GCP) Inspectors Working Group (IWG) 2021.

Beyond wishing for an 11 month cycle of writing and approval on my annual reports, there is some valuable information there.

In 2021, three CHMP GCP inspections were conducted entirely remotely, and three inspections were conducted in a hybrid setting. A total of 286 deficiencies, comprising 24 critical, 152 major and 110 minor findings were recorded for the 27 CHMP requested inspections conducted in 2021. This represents an average of 10-11 findings per site inspected. The three top categories were: “General”, “Trial Management” and “Computer System”. An increase in findings related to computer systems (e. g. Audit Trail and Authorized Access, Computer Validation, Physical Security System and Backup) is noted compared to the last reports.

More information is available at EMA´s Good Clinical Practice Inspectors Working Group website.

Under organisation and personel we see “Delegation of tasks to inappropriate team members.” This reinforces the needs for strong cv and job descriptions, and linking to both hiring and personnel qualification.

The computer systems observations are the greatest hits of data integrity, and should be a wakeup call to any company that treats GCP and GMP computer systems differently.

Let the 2022 annual GCP training development begin. And make sure you get that training done on time!

Sunscreen is a drug

Folks often forget that in the United States the active ingredient in sun screen is a drug and needs to meet appropriate quality system requirements. This Warning Letter to Kari Gran, Inc is a case in point.

The whole warning letter is a result of a company not realizing (or thinking they can get away with not having) the need for GMP compliance.

I’m not sure I would draw broader trends around data integrity or anything else from it.

Photo by Kindel Media on Pexels.com

Risk Assessments Do Not Replace Technical Knowledge

The US Food and Drug Administration (FDA) last month warned Indian generic drugmaker Lupin Limited over three good manufacturing practice (GMP) violations at its facility in Maharashtra, India that identified issues with the company’s written procedures for equipment cleaning, its written procedures for monitoring and controlling the performance of processing steps and the “failure to investigate all critical deviations.”

The FDA said the company “performed multiple risk assessments with the purpose to verify whether existing cleaning procedures and practices eliminate or reduce genotoxic impurities … generated through the manufacture of [redacted] drugs after you detected [redacted] impurities in your [active pharmaceutical ingredient] API.” The company also performed risk assessments to determine whether its cleaning procedures reduced the risk of cross-contamination of intermediates and API. However, FDA said the risk assessments “lacked data to support that existing equipment cleaning procedures are effective in removing [redacted] along with residual API from each respective piece of equipment to acceptable levels. “The identification of genotoxic impurities in quantities near their established limits suggests excursions are possible. All intermediates and API manufactured on non-dedicated equipment used to manufacture [redacted] drugs should be subject to validated sampling and analytical testing to ensure they are not contaminated with unacceptable levels of genotoxic impurities,” FDA said.

At heart this warning letter shows a major weakness in many company’s risk management approach, they use the risk assessment to replace technical inquiry, instead of as a tool to determine the appropriateness of technical understanding and as a way to manage the uncertainty around technical knowledge.

A significant point in the current Q9 draft is to deal with this issue, which we see happen again and again. Risk management cannot tell you whether your cleaning procedures are effective or not. Only a validated testing scheme can. Risk management looks at the aggregate and evaluates possibilities.

Computer Software Assurance Draft

The FDA published on 13-Sep-2022 the long-awaited draft of the guidance “Computer Software Assurance for Production and Quality System Software,” and you may, based on all the emails and posting be wondering just how radical a change this is.

It’s not. This guidance is just one big “calm down people” letter from the agency. They publish these sorts of guidance every now and then because we as an industry can sometimes learn the wrong lessons.

This guidance states:

  1. Determine intended use
  2. Perform a risk assessment
  3. Perform activities to the required level

I wrote about this approach in “Risk Based Data Integrity Assessment,” and it has existed in GAMP5 and other approaches for years.

So read the guidance, but don’t panic. You are either following it already or you just need to spend some time getting better at risk assessments and creating some matrix approaches.