Implementing GxP Systems: Process vs. System Owner Roles

Establishing a new GxP system, often at the behest of your company’s operations teams, seems like a dream come true for the teams that requested, funded, fought for, and implemented the new system.  Time-consuming manual steps have been automated, resulting in reduced errors and costs.  Processes have been consolidated, integrated, and streamlined, resulting in increased operational efficiencies.  However, both the cost and effort of establishing and maintaining system compliance with regulatory requirements must be carefully planned and considered as part of implementing a GxP systems.  

Most companies in the life sciences industry understand that the cost and effort can be significant to implement and validate a GxP system to establish a baseline of system compliance.  What is not always fully understood is the importance of establishing an operating model to maintain the constant validated state of a GxP system, including clear guidance to those who are accountable and responsible for that effort.  Failure to establish and assign proper roles and responsibilities could reduce or take a system out of compliance.   

The following diagram presents the key roles that are responsible for ensuring the compliant implementation, validation, ongoing use, support, maintenance, and retirement of a GxP system: 

The above roles and responsibilities are outlined in GAMP 5 – A Risk-Based Approach to Compliant GxP Computerized Systems (2008) and other guidance which companies in the life sciences industry widely use to define their internal processes for GxP system implementation, validation, ongoing use, maintenance, and eventual retirement.  Although these roles are well established and known, there are often misunderstandings and confusion about two roles: Process Owner and System Owner.  The following is a brief outline of these roles.

PROCESS OWNER

The Process Owner (aka, Business Owner) is ultimately accountable for the system and has the overall responsibility for its implementation, validation, and ongoing compliant use and is typically designated as the owner of the data maintained within the system.  Some key characteristics of the Process Owner role are:

1. Should be at a level in the organization that allows:

• Detailed understanding of the system, its purpose, functions, and use
• Ability to make business and process decisions regarding the system
• Often an operations director/manager, lab manager, or production manager.

2. Should be able to garner management support for and/or delegate some responsibilities while retaining overall role accountability.
3. Must ensure the following:

• Provision funding and resources for system implementation, qualification, validation, training, and ongoing licensing, maintenance, and support of the system
• Develop and maintain user requirements, SOPs, and Business Continuity Plans
• Ensure the ongoing training of system administrators and users
• Facilitate support from management, business resources, and SMEs for the above activities
• Approve applicable CSV documentation per the System Validation Plan
• Ensure the ongoing validated state of the system through change control, system requalification, and SOP maintenance, as well as facilitating scheduled periodic system reviews, user access reviews, audit trail reviews, and the resolution of any resulting system incidents, deviations, and CAPAs.

SYSTEM OWNER

The System Owner (aka Technical Owner) is responsible for the design, implementation, and ongoing compliant system administration and technical support.  Some key characteristics of the System Owner role are:

1. Should be at a level in the organization that allows: 

• Detailed understanding of the system and application and supporting infrastructure design, components, and environments 
• Ability and knowledge to make technical decisions regarding the system
• Often an IT director/manager or application support manager/resource. 

2. Should be able to garner management support for and/or delegate some responsibilities while retaining overall role responsibility.
3. Must ensure the following:

• Design and maintain system architecture as well as install, qualify and test IT system infrastructure components 
• Contribute to system technical requirements as well as develop and execute system application Installation Qualifications and Disaster Recovery Plans  
• Ensure that system data is secured and backed up
• Facilitate support from IT Infrastructure, application support resources, and vendor resources for the above activities
• Perform System Administration duties such as user and privilege maintenance, data archival/retrieval, and other system-specific administration tasks
• Perform Application Support duties such as system patching, documentation of system issues, facilitating vendor support, and other application-specific support tasks  
• Ensure the ongoing validated state of the system through change control, participation in scheduled periodic system reviews, and the resolution of any resulting system incidents, deviations, and CAPAs associated with the system architecture or application implementation.

The following may contribute to the misalignment of these roles:

1. Some companies use the term System Owner to describe the Process Owner’s responsibilities.  This is understandable as the term System Owner intuitively seems to cover overall ownership of the system.    
2. The preponderance of other models and paradigms also used in the Life Sciences industry, such as Six Sigma and ITIL.  These and other models define similarly named roles with responsibilities that do not always align with the GAMP 5 definitions.   
3. The business owner of a system is not always aware of the responsibilities or does not have the knowledge to assume the Process Owner role.  Likewise, IT or other technical teams may not understand the responsibilities associated with the System Owner role.  

Training on the responsibilities and how to perform them is vital for those assuming the Process and System Owner roles.  It is incumbent upon the Quality Assurance team to train or ensure the Process and System Owners understand what their role and compliance responsibilities are prior to system implementation and validation.   The Process and System Owners must then collaborate with Quality Assurance, IT, CSV, training, HR, system vendors, and/or system development teams to ensure the necessary compliance activities are performed in a timely manner and are documented.

For some smaller companies, the System Owner and Process Owner may be the same individual.  This may also be the case for smaller systems with fewer users, such as an infrequently used analytical testing instrument.  These situations are acceptable when the individual understands the responsibilities and can perform both roles.  

The GAMP 5 role designations of Process Owner and System Owner with their associated responsibilities are helpful to organizations for several reasons:

1. The Process Owner role aligns the overall responsibility for the system and data with the organizational team that is responsible for executing the process and creating the data
2. The System Owner’s role aligns the responsibility for the support of the system and infrastructure as well as ensuring the integrity of the system data with the organizational team that has the appropriate technical expertise and knowledge
3. And finally, these roles are generally understood by most regulatory agencies and client auditors, eliminating the need to translate and explain different roles to them.    

The use of specific role names is not a regulatory requirement, but whatever your company labels these roles, the purpose and responsibilities associated with them are necessary to establish and maintain GxP system compliance.  

Establishing the Process Owner and System Owner roles with their associated responsibilities and ensuring the individuals assigned to those roles are both aware and trained in their responsibilities will ensure the necessary activities are performed to maintain a GxP system in a compliant, validated state.

Kevin DeLeon is a Principal Consultant in CREO’s Cybersecurity and Compliance practice and helps life sciences companies establish and maintain system compliance with regulatory requirements for GxP systems.