GxP compliance can sound complicated or mysterious, but actually, it is pretty straightforward. You just need a methodical approach and strong process control in place.
The term GxP is a generic catch-all for standards such as GMP (Good Manufacturing Practice), GCP (Good Clinical Practice), and GAMP (Good Automated Manufacturing Practice). These are labels that either vouch for operational standards or are mandated in the case of life sciences businesses. Nobody wants variance in things like drug manufacturing, after all.
Meeting GxP compliance is the act of defining what the processes and standards should be, then proving your ERP system and its processes meet these standards reliably. Proving it is GxP validation.
There are two parts that come with GxP compliance: validating your system, and then ensuring that you have processes in place to ensure the system stays valid.
There are three main steps for validating GxP compliance. These include defining user and functional requirements, conducting risk assessment, and executing documented testing phases such as Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).
In GxP validation, User Requirements Specifications (URS) and Functional Requirements Specifications (FRS) are the foundational documents used to prove that an ERP system is fit for its intended use and complies with all process and source material requirements. Before you can prove your system works as it should, you must define in writing how it is expected to perform.
User Requirements Specifications describe what the business and end users need the system to do. A URS will define intended use, establish validation scope, provide traceability for testing, and support regulatory inspections.
The Functional Requirements Specifications, on the other hand, translate the user and business requirements from the URS into detailed system behavior. It defines how the system will fulfill the requirements that have been outlined in the URS.
Risk assessment is the process of identifying, evaluating, and controlling risks that could affect safety, quality, data integrity, and regulatory compliance. It is not about eliminating risk, but controlling it to acceptable levels.
Risk assessment helps determine what must be validated, how much testing is required, which controls are necessary, and where failures matter most.
Commonly, the risk assessment process consists of defining system scope, identifying GxP functions, identifying hazards and failure modes, estimating risk, defining controls and mitigations, determining validation testing depth, documenting residual risk, and defining how frequently risk should be reviewed after validation.
The first two steps were defining what must be tested, and this third step is actually testing for it and documenting the results.
This is the formal qualification phase where it is demonstrated that the ERP and its processes are set up correctly, operate as intended, and perform effectively in real-world operational environments.
Based on the Functional Requirements Specifications already defined and the risk assessment for what must be tested, a business will need to prove that the ERP system works successfully as intended. This testing and the documentation of its successful completion validate the ERP system.
Of course, an ERP that passes the test today might not do so later. That’s why documented processes for maintaining a validated system are part of GxP compliance. This includes maintaining documentation, establishing change control procedures, and ensuring ongoing monitoring and periodic review.
Maintaining documentation for GxP compliance means that records and validation documentation are accurate, complete, current, traceable, secure, readily retrievable, and inspection-ready.
Common forms of documentation include quality system documents such as quality manuals, SOPs, and policies; validation documentation such as URS, FRS, testing protocols, and validation results; operational records such as batch records, training records, and maintenance logs; and compliance records such as deviations, change controls, and audit reports.
Establishing change control procedures is the creation of formal, documented processes to evaluate, approve, implement, test, and monitor changes that could affect the safety, quality, data integrity, or validated state of the ERP system.
The goal of change control procedures is to ensure the changes are controlled, assessed, documented, tested, and approved before implementation so the ERP system stays in compliance.
Change control procedures should be defined and in place for ERP software changes, process changes, data-related changes, security changes, and supply chain changes.
Ongoing monitoring and periodic review are necessary for ensuring that an ERP system remains compliant and in a controlled state throughout its lifecycle, not just after initial go-live.
The equation for sustained GxP compliance is a validated state combined with controlled changes and continuous oversight.
Periodic reviews of compliance state take place annually and at risk-based intervals. These reviews check that the ERP system is still meeting the intended use, it remains validated, and changes are properly controlled.
While there is no such thing as a pre-validated ERP solution, prepackaged industry solutions can greatly improve the speed of system validation. This is because prepackaged ERP solutions are built for the GxP compliance needs of a given industry, with common processes and best practices configured by default.
So while a life sciences business must still validate its system, for instance, it can start with an ERP solution pre-configured and ready for validation. This makes the validation process much faster.
What’s more, third-party validation firms often are already familiar with well-known prepackaged industry solutions, reducing the time they must spend validating one of these systems.
“I think prepackaged is the way to go,” says Archie O’Leary, vice president of sales for one of the leading life sciences validation firms, Arbour Group.
“We have pre-configured validation solutions for these systems,” he notes. “If we haven't seen it before, do we really care? No. But it's going to be expensive.”
So if GxP compliance matters for your business, consider a prepackage industry solution.
You can learn more about our ERP industry solutions or the GxP validation process by calling one of our experienced ERP consultants at (801) 642-0123 or by writing us at info@nbs-us.com.