GxP
The term GxP is a generalization of quality guidelines, predominantly used in the pharmaceutical industry. Good Manufacturing Practice, or GMP Good Engineering Practice, or GEP Good Laboratory Practice, or GLP Good Safety Practice, or GSP
GMP is the most commonly known instance of GxP. The term GxP is only used in a casual manner, to abstract from the actual set of quality guidelines.
Purpose
The purpose of the GxP quality guidelines is to ensure a quality product, guiding pharmaceutical product research, development and manufacturing, but also presents a codex for much of the activities off the critical path. The most central aspects of GxP are: Traceability: the ability to reconstruct the development history of a drug. Accountability: the ability to resolve who has attributed to the development, doing what, at what time.
Documentation is thereby the most crucial instrument. Please find more details around GxP requirements in the article about Good Manufacturing Practice.
Consequences of GxP in IT
At the same time, these requirements do not only apply for the end-product (the drug) itself. For this product to be produced in a truly GxP compliant manner, it is imperative that these guidelines also be applied for any artifacts that contribute directly or indirectly to its development. This explicitly includes assets used in information management. The pharmaceutical industry therefore requires special attention for a range of user requirements that are somewhat neglected in other industries. Secure logging: each system activity must be registered, in particular those activities conducted by users of the system, that relate to research, development and manufacturing. The logged information is to be secured in an appropriate manner and cannot be changed once logged, not even by an administrative user of the system. Auditing: an IT system must provide the necessary facilities to support with conclusive evidence in litigation cases, to reconstruct the decisions and potentially mistakes that were made in developing a drug. Archivation: relevant audit information must be retained for a set amount of time, spanning several decades in certain countries. Archived information is still subject to the same requirements, but its sole purpose is to provided trusted evidence in litigation cases. Accountability: audited information may never be logged against impersonal accounts. There must be an unambiguous relation between the user action in the IT system and the employee who is accountable. Non-repudiation: audit information must be logged in a manner where no user can deny the validity of the information, e.g. due to the fact that someone could have tampered with the information. One way of assuring this, is by means of digitally signing activities. The business case for any overhead in technical measures in this field is easily made, if one considers the importance of winning some of the most spectacular litigation cases that are attributed to the pharma industry. This is also the perspective that you should use to understand the sense and nonsense of high investments in your IT security concept (IT infrastructure, standard operating procedures for system administration). At the same time, system development in the pharma industry is accompanied by documentation requirements that exceed the usual level of attention. The word traceability is of central importance, creating a chain of decisions that lead from user requirements and business goals down to the actual design decisions of the system, and the qualification of its installation and operation.
|
|
