GMP/GAMP and Best Practice ITIL® – not mutually conflicting?
GMP, GAMP and ITIL® are keywords which have become an essential feature of the pharmaceutical, biotech and medical technology industries. But are they mutually compatible or are we attempting to bring together concepts which it is not possible to combine? Arcondis has produced a summary of the results of the original idea which dates back to 2003 and the practical experience which we have acquired and gives an overview of the potential that remains to be exploited.
Differing origins of the best practices
At first glance, the good and best practices GMP/GAMP and ITIL® have very little in common, at least in terms of their origins and main objective:
- GMP are official regulations on the basis of which the ISPE GAMP guidelines have been produced for companies in regulated industries, such as the pharmaceutical industry. The objective is compliance, in other words conformity with and continuing observance of legal (for example GMP) and self-imposed (for example GAMP or ISO 9000) standards. The regulations aim to put in place product quality assurance processes for the protection of human health rather than focusing on an increase in productivity.
- ITIL® is used as a service management framework primarily for IT operations. There are no regulatory requirements which provide a direct or indirect incentive for companies to implement ITIL. Instead the motivation behind ITIL is a continuous improvement in customer satisfaction and the quality of services.
The theoretical concept
One requirement on quality-related systems in pharmaceutical or medical technology companies is not only the initial validation of the system, but also maintaining the validated status during operation. This is essentially required in order to track changes in the system configuration, to manage incidents in a structured way and to resolve problems in the system using a traceable process. Depending on the use to which the system is put, there is a specific emphasis in the regulations on security management and ensuring continuity (for example, for product recalls or batch traceability).
The ITIL® best practices with service support and service delivery processes plus security management are used specifically for the tasks of an IT department which result from the GAMP requirements.
Our general practical experience
The IT department is generally responsible for all the end-to-end SOPs which form part of IT operations, such as change management. These SOPs should ideally be developed in advance as part of a separate project, independently of the system, for the IT operations as a CSV operating framework. The majority of the ITIL® best practices can be used for this purpose.
Depending on the organizational structure, at certain points special assessments, quality approvals and documentation and testing requirements must be incorporated. If a CSV project is required, additional system-specific SOPs can be created which refer to the generic, non-specific SOPs. The best solution may be to use system-specific forms in combination with the generic SOPs. The result in this case will be a significant and lasting increase in efficiency.
If the SOPs have to be developed during the course of the CSV project, this represents a more complex situation. The budget often only covers the most crucial measures for achieving compliance. Only the essential system-specific SOPs are produced for the purposes of system operation. The focus in this case is not on increasing efficiency and productivity.
The solution to combining GAMP good practices and ITIL® best practices successfully is early and ongoing discussions between the IT operations manager and the CSV project manager.
Two specific challenges and our recommendations
The area of synergy between GAMP and ITIL® can be extended by following the two recommendations below:
- Challenge: Often a large-scale, complex change management system is put in place for every small standard system change. In addition, errors creep in because of a lack of knowledge about the logical dependencies between the individual configuration elements. Variable, master and configuration data is jumbled up or defined as master data from a purely technical system perspective.
Recommendation: On the basis of an understanding of the risk analysis, the individual system functions, including the essential attributes and logical dependencies, can be configured using the functional specification. This means that, as early as the project phase, plans are made to ensure that the system functions effectively in terms of change management, based on an end-to-end configuration management process. - Challenge: One of the weak points of the GAMP project methodology is the one-off, static specifications which require a periodic review of the system and its specification. In addition, revalidations are extremely laborious and time-consuming, because there is no reliable specification baseline for use as a reference. It is generally easier to carry out a complete revision of the specifications than to incorporate all the system changes into the specifications retrospectively.
Recommendation: One of the effects of system changes is the need to update the project specification at an early stage for release management. This simplifies both the periodic review and the revalidation process which becomes necessary as a result of a system update, for example. In addition, consistent and up-to-date specifications will make the impact analysis involved in the evaluation of change requests much easier.
Arcondis can offer all CSV project managers and IT operations managers the opportunity of a personal discussion about our recommendations with no strings attached. You are welcome to invite the CSV project manager or IT operations manager from your company to attend as well.
We will also be happy to assess the efficiency of your CSV and IT operational frameworks, in order to produce an action plan for the effective integration of the two areas which will allow a state of compliance to be achieved efficiently.
ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.