This year’s rant is triggered by reading a good practices guide designed to be pan-GxP and getting frustrated by its utter GMP focus. I knew I was in trouble when it specifically discussed “Product and Process Understanding” as a critical factor and then referenced ICH Q10. Use those terms with ICH Q10, and you just announced to the entire world that this is a GMP book. It is important to use a wider term and then reference product/process understanding as one subcategory or way of meeting it.
I rather like the approach of ICH E6 and E8 here, which is to use the wider term “Critical to Quality,” which in the broader sense can be expanded to mean the key factors that must be controlled or monitored to ensure the quality, safety, and efficacy of pharmaceutical products from development to clinical studies to manufacturing and distribution and beyond. It’s a risk-based approach focused on what matters most for patient safety and reliable results.
Defining the accountable individuals in a process is critical. In GAMP5, the technical System Owner role is distinct from the business Process Owner role, which focuses more on the system’s business process and compliance aspects.
The System Owner
The System Owner is responsible for the computerized system’s availability, support, and maintenance throughout its lifecycle. The System owner is the technical side of the equation and is often an IT director/manager or application support manager. Key responsibilities include:
Defining, reviewing, approving, and implementing risk mitigation plans
Ensuring technical requirements are documented
Managing change control for the system
Conducting evaluations for change requests impacting security, maintainability, data integrity, and architecture
Performing system administration tasks like user and privilege maintenance
Handling system patching, documentation of issues, and facilitating vendor support
Frankly, I think too many organizations make the system owner too low level. These lower-level individuals may perform system admin tasks and handle systems patching, but the more significant risk questions require extensive experience.
The System Owner focuses on the technical aspects of validation and ensures adequate procedural controls are in place after validation to maintain the validated state and protect data integrity.
The system owner requires learning and understanding new products and complex system architectures. They are the architect and need to be in charge of the big picture.
The Process Owner
In the context of GAMP5, a Process Owner plays a crucial role in the lifecycle management of computerized systems used in regulated industries such as pharmaceuticals and biotechnology. The Process Owner is ultimately accountable for the system’s implementation, validation, and ongoing compliant use.
I’ve written a lot about Process Owners. This use of process owner is 100% aligned with previous thinking.
Key Responsibilities of a Process Owner
System Implementation and Validation: The Process Owner ensures the system is implemented and validated according to regulatory requirements and company policies. This includes overseeing the creation and maintenance of validation documentation and ensuring the system meets its intended use.
Ongoing Compliance and Maintenance: The Process Owner must ensure the system remains validated throughout its lifecycle. This involves regular reviews, updates, and maintenance activities to ensure continued compliance with regulatory standards.
Data Integrity and Quality: As the data owner maintains the system, the Process Owner is responsible for its integrity, administration, operation, maintenance, and decommissioning. They must ensure that data integrity and quality requirements are met and maintained.
Decision-Making Authority: The Process Owner should be at a level within the organization that allows them to make business and process decisions regarding the system. This often includes roles such as operations director/manager, lab manager, or production manager.
Collaboration with Other Teams: The Process Owner must collaborate with various teams, including Quality (QA), IT, Computer System Validation (CSV), training, HR, system vendors, and system development teams, to ensure that all necessary compliance activities are performed and documented promptly.
Skills and Knowledge Required
Detailed Understanding of the System: The Process Owner should have a comprehensive understanding of the system, its purpose, functions, and use within the organization.
Regulatory Knowledge: A good grasp of regulatory requirements is crucial for ensuring the system complies with all relevant guidelines and standards.
Validation Practices: The Process Owner will sign off on validation documents and ensure that the system is fit for its intended use.
While the Molecule Steward, the ASTM E2500 SME role, is not directly equivalent to the GAMP 5 roles, it shares some similarities with both the system owner and process owner, particularly in terms of specialized knowledge and involvement in critical aspects of the system. It’s best to think of the Molecule Steward as the third part of this triad, ensuring the robustness of the scientific approach.
System Owner
Process Owner
Molecule Steward
Primary Focus
Technical aspects and maintenance of the system
Business process and compliance aspects
Specialized knowledge of critical aspects
Typical Role
IT director/manager or application support manager
Head of functional unit or department using the system
Subject matter expert in specific field
Key Responsibilities
– System availability, support, and maintenance – Data security – Risk mitigation plans – Technical requirements documentation – Change control management – Evaluating change requests
– Overall system integrity and compliance – Data ownership – User requirements definition – SOP development and maintenance – Ensuring GxP compliance – Approving key documentation – User training
– Defining system needs – Identifying critical aspects – Leading quality risk management – Developing verification strategies – Reviewing system designs – Executing verification tests
Expertise
Strong technical background
Business process knowledge
Specialized technical knowledge
Accountability
System performance and security
Business use and regulatory compliance
Critical aspects impacting product quality and patient safety
Involvement in Validation
Focuses on technical validation aspects
Ensures validation meets business needs
Leads verification activities
Comparison of SO, PO and ASTM E2500 SME
Scale of the System
People make the system too small here. This isn’t equipment A or computer system X. It’s the entire system that produces result Y. For example, it is the manufacturing process for DS (or upstream DS), not the individual bioreactors. Lower-level assistants can help with wrangling, but there should be overall accountability. The system, process, and ASTM E2500 SME must have the power in the organization to be truly accountable.
The Role of Quality
The Quality Unit is responsible for ensuring the right process and procedure are in place, that regulatory requirements are met, and that the system is fit for use and fit for purpose. The Quality Unit in GAMP5 is crucial for ensuring the safety, efficacy, and regulatory compliance of pharmaceutical products and computerized systems.
Ensuring Compliance and Product Quality: Quality is vital in ensuring that computerized systems used in pharmaceutical manufacturing meet regulatory requirements and consistently produce high-quality products. The Quality Unit helps organizations maintain high-quality standards in the various processes.
Risk Management: The Quality Unit champions a science-based risk management approach to system validation and qualification. Quality ensures the identification and assessment of potential risks.
Lifecycle Approach: The Quality Unit ensures that validation activities are conducted throughout the system’s lifecycle, from concept to retirement.
Documentation and Traceability: The Quality Unit oversees comprehensive documentation and traceability throughout the system’s lifecycle. Detailed records enable transparency, facilitate audits, and demonstrate compliance with regulatory requirements.
Change Management: The Quality Unit evaluates and controls system changes to ensure that modifications do not compromise product quality or patient safety.
Data Integrity: Quality is crucial in maintaining data integrity and ensuring records’ accuracy, reliability, and completeness.
Supplier and Internal Audits: Quality regularly audits suppliers and internal processes to ensure compliance and quality. These audits help identify gaps and areas for improvement in system development, implementation, and maintenance.
Beyond GAMP5
I consider this the best practice for handling an ASTM E2500 approach.
This Guide applies to computerized systems used in regulated activities covered by:
•Good Manufacturing Practice (GMP) (pharmaceutical, including Active Pharmaceutical Ingredient (API), veterinary, and blood)
•Good Clinical Practice (GCP)
•Good Laboratory Practice (GLP)•Good Distribution Practice (GDP)
•Good Pharmacovigilance Practices (GVP)
•Medical Device Regulations (where applicable and appropriate, e.g., for systems used as part of production or the quality system, and for some examples of Software as a Medical Device (SaMD1))
GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems (2nd edition),
The biggest problem with GAMP is when you search GAMP you get:
This means that I spend a lot of time explaining why GAMP is relevant outside of manufacturing, to a lot of skeptical people who already struggle with the idea that GCP or GLP isn’t some special and unique flower.
To add to that, it is structured like a GxP. I see a G-some letters-P I instantly think Good <something> Practices. It is how my brain and the brain of every single person who works in the GxPs have been trained.
Second, what is that 5? What does it mean? It’s such a bit of esoteric lore that I have to spend more time explaining. For absolutely no value.
And then last, I inevitably have to deal with skepticism about something published by the International Society of Pharmaceutical Engineering being even remotely relevant to the work a study investigator is doing.
Without a doubt, GAMP is a powerful methodology and toolbox. It just shoots itself in the foot every time. It is unfortunate that with the 2nd edition the ISPE did not take a big breath and successfully rebrand as maybe GDIP or something.
Appropriate controls shall be exercised over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel. Input to and output from the computer or related system of formulas or other records or data shall be checked for accuracy. The degree and frequency of input/output verification shall be based on the complexity and reliability of the computer or related system. A backup file of data entered into the computer or related system shall be maintained except where certain data, such as calculations performed in connection with laboratory analysis, are eliminated by computerization or other automated processes. In such instances a written record of the program shall be maintained along with appropriate validation data. Hard copy or alternative systems, such as duplicates, tapes, or microfilm, designed to assure that backup data are exact and complete and that it is secure from alteration, inadvertent erasures, or loss shall be maintained.
Kris Kelly over at Advantu got me thinking about GAMP5 today. As a result I went to the FDA’s Inspection Observations page and was quickly reminded me that in 2017 one of the top ten highest citations was against 211.68(b), with the largest frequency being “Appropriate controls are not exercised over computers or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel. ”
Similar requirements are found throughout the regulations of all major markets (for example EU 5.25) and data integrity is a big piece of this pie.
When building your change management system remember that your change is both a change to a validated change and a change to a process, and needs to go through the same appropriate rigor on both ends. Companies continue to get in a lot of trouble on this. Especially when you add in the impact of master data.
Make sure your IT organization is fully aligned. There’s a tendency at many companies (including mine) to build walls between an ITIL orientated change process and process changes. This needs to be driven by a risk based approach, and find the opportunities to tear down walls. I’m spending a lot of my time finding ways to do this, and to be honest, worry that there aren’t enough folks on the IT side of the fence willing to help tear down the fence.
So yes, GAMP5 is a great tool. Maybe one of the best frameworks we have available.
Investigations of a Dog 