What is GxP?
GxP is shorthand for a family of regulations and guidelines that govern the manufacture, distribution, and use of products in regulated industries, primarily pharmaceuticals and life sciences. The "x" stands for the product type: GMP (Good Manufacturing Practice), GDP (Good Distribution Practice), GLP (Good Laboratory Practice), and so on.
GxP regulations exist because these products directly affect human health and safety. A manufacturing error in a pharmaceutical product, vaccine, or medical device can cause severe harm. Unlike consumer goods where quality problems trigger recalls and lawsuits, regulatory failures in GxP industries can result in criminal prosecution, facility closure, and loss of product license.
The core logic of GxP is risk-based and systematic. Regulators (FDA, EMA, PMDA, and others) set rules about how to design, manufacture, test, and distribute products. Manufacturers document their processes, train their people, keep records, and periodically prove to regulators that everything is working as designed. The "system" is the point, not perfection.
This is different from quality management systems like ISO 9001, which focus on continuous improvement and customer satisfaction. GxP is about regulatory compliance and public health protection. Many manufacturers use both: ISO for operational excellence and GxP for regulatory compliance.
The GxP family
The GxP framework includes several specific regulations, each tailored to a product type and stage of its lifecycle:
GMP
Good Manufacturing Practice
Governs the manufacturing of drugs, biologics, medical devices, and food products. Covers facility design, equipment, processes, testing, and documentation. The most common and strictest GxP standard.
GDP
Good Distribution Practice
Governs the storage, handling, and distribution of finished products. Covers storage conditions, transportation, traceability, and handling of recalls. Ensures product integrity from manufacture to patient.
GLP
Good Laboratory Practice
Governs non-clinical safety testing. Covers laboratory design, equipment, protocols, test data recording, and archiving. Required for toxicology and safety studies submitted to regulators.
GCP
Good Clinical Practice
Governs clinical trials. Covers trial design, informed consent, data integrity, investigator conduct, and ethics. Ensures patient safety and data reliability in human studies.
GDocP
Good Documentation Practice
Applies across all GxP areas. Covers record creation, retention, security, archiving, and electronic records. The backbone of any GxP system.
Other variants
GAMP, GEP, GAP, etc.
GAMP (Automated Manufacturing), GEP (Engineering Practices), GAP (Agriculture Practices) extend the GxP framework to specialised areas and processes.
Most manufacturers operate under one or more of these frameworks. A pharmaceutical manufacturer might have GMP for drug manufacturing, GDP for distribution, GCP for clinical trials, and GDocP applied everywhere. A contract manufacturer might be multi-purpose: GMP for pharma, GMP for medical devices, GMP for supplements.
GMP in practice: the five Ps
GMP regulations are detailed and technical. But they rest on a simple framework called the "five Ps," which organises the control system:
People
Staff must be qualified, trained, and supervised. Qualifications document education, experience, and training completion. Training is role-specific and competency-based. Supervision ensures people follow procedures. Any deviation requires investigation and corrective action.
Premises
Facilities must be designed, constructed, maintained, and cleaned to prevent contamination and product deterioration. This includes building design, equipment layout, HVAC systems, water systems, and environmental monitoring. Premises are regularly validated to show they perform as designed.
Processes
Manufacturing methods must be documented in detail, understood scientifically, and validated to show they consistently produce quality products. Process changes require impact assessment, re-validation, and documentation. Deviations trigger investigation and corrective action.
Products
Each batch must be tested to specifications. Testing includes identity, potency, purity, and safety. Records of all test results are retained. Specifications are scientifically justified and reviewed periodically. Out-of-specification results trigger investigation and decision about product disposition.
Procedures
All critical activities must have written procedures. Procedures are followed during all manufacturing runs. Deviations from procedure are documented, investigated, and explained. Procedures are reviewed periodically and updated when needed.
The five Ps are the skeleton. The flesh is thousands of pages of regulatory text, industry guidance, and company procedures. But when you strip away the detail, GMP is about managing those five elements systematically.
Documentation and ALCOA+ principles
Documentation is the spine of GxP. Without records, there is no evidence of compliance. Regulators cannot see your facility all the time, but they can read your records. Every critical activity must be documented: what was done, by whom, when, and with what result.
The framework for how to handle data is called ALCOA+, developed by the FDA. Each letter stands for a principle:
Attributable
The person who generated or modified the data must be clearly identified. In paper records, this is initials and date. In electronic records, this is automatic username logging with timestamps.
Legible
Records must be easy to read. Handwriting must be clear. Electronic records must be in a readable format. Altered records must show the original entry, the change, the reason for the change, and who made the change (audit trail).
Contemporaneous
Data must be recorded at the time the activity occurs, not recalled from memory later. "Real-time" is the standard. Batch records are completed during the manufacturing run, not reconstructed after.
Original
The original record (or a certified copy) must be retained. In the electronic age, this means the electronic record is the original, not a printout. Backups must be secure and verified.
Accurate
Data must be correct. Calculations must be double-checked. Transcription errors must be caught. Procedures must include checks to prevent errors before they happen.
Complete (the "+" part)
Every required field in a record must be filled. Nothing is left blank without a documented reason. Omissions are not acceptable.
ALCOA+ also includes provisions for data integrity and security. Electronic records systems must have controls to prevent unauthorised access, accidental deletion, or alteration. User access is logged. System changes are documented. The system must produce a permanent, unchangeable audit trail.
Training and qualification
GxP requires that everyone involved in manufacturing has the education, experience, and training to perform their role. This goes far beyond a one-time orientation. It is continuous, role-specific, and documented.
Most manufacturers use a qualification framework that includes several elements. Initial qualification documents what education and experience someone brings to the job. If they have a chemistry degree and 5 years of pharma manufacturing experience, that is documented. If they are new, that is also documented, and the training load is heavier.
Training is then role-specific. A line operator learns how to run the line, what to do if the temperature deviates, how to fill out the batch record, and what to do if something goes wrong. A quality technician learns how to use testing equipment, how to collect samples, and how to record results. A manager learns how to supervise, how to investigate deviations, and how to make decisions about product disposition.
Training is not just a course. It is usually a combination of classroom learning, hands-on demonstration, and supervised practice. Someone new to a line might spend 2 to 4 weeks in training before they are certified to operate independently. This is documented: what was taught, by whom, when, and how competency was assessed.
Training that expires
GxP training is not "one and done." It is refreshed periodically, usually annually. If someone hasn't received refresher training within the specified period, they are not qualified to perform that role until they are retrained. Records must show current qualification status.
Generic training
A "GxP overview" course for all employees is good but insufficient. The Quality Manager, the line operator, and the lab technician all need GxP training tailored to their role and responsibility.
No competency assessment
Training records must show not just attendance but competency. Did the person understand? Can they do the job? This is usually assessed through observation, written exam, or practical demonstration.
Audits and regulatory inspections
GxP compliance is verified through two types of audits: internal audits (your company audits itself) and regulatory inspections (the FDA or other authority audits you).
Internal audits are required by GMP regulations. A manufacturer must audit itself at least once per year, though many do it more frequently. Internal audits assess compliance against the company's own procedures and against GxP regulations. Any findings are documented and a corrective action plan is required. Internal audits are designed to catch problems before the regulator does.
Regulatory inspections happen when the FDA, EMA, or other authority decides to visit. The frequency and scope vary. High-risk products get inspected more often. Inspection scope can be a routine compliance check (does the facility comply with GMP) or a targeted inspection (did you follow procedure on batch XYZ). During an inspection, regulators review records, interview staff, observe operations, and test products. They issue findings if they find evidence of non-compliance.
483 observations
Minor findings, typically about documentation or procedural gaps. Not a violation but must be corrected. The company has 15 working days to respond in writing explaining how the issue will be corrected.
Warning Letter
Serious findings indicating significant non-compliance. The company has 15 working days to respond. Failure to address findings can result in regulatory action: product seizure, import detention, or facility closure.
Consent Decree
The most severe regulatory action short of criminal prosecution. It requires FDA approval before the facility can resume manufacturing. Compliance is monitored closely.
When a regulator identifies a problem, they expect a thorough investigation and a credible corrective action plan. This is called CAPA (Corrective and Preventive Action). A CAPA addresses the root cause (not just the symptom), prevents the problem from recurring, and includes steps to verify that the fix is working. CAPAs are documented and tracked to closure.
Common pitfalls and mistakes
Experienced quality professionals know which compliance mistakes appear over and over. Here are the most common:
Procedure exists but is not followed
A facility has comprehensive written procedures. But the actual work is done differently. The operator has a faster way. The procedure is old. Nobody updated it. Regulators see this constantly. The solution is simple: either follow the procedure, or formally change the procedure. Doing one thing and documenting another is a serious violation.
Records are incomplete or backdated
A batch record has missing temperatures. An operator fills them in from memory days later. A deviation occurs but is not documented until the next shift. Records that are created after the fact, filled in from memory, or altered without proper audit trail are unacceptable evidence of compliance.
Deviations are not investigated
A test shows an out-of-specification result. Instead of investigating, someone reruns the test and gets a pass. The failed test is discarded. Deviations must be documented and investigated, even if the batch ultimately passes. Discarding inconvenient data is a serious violation.
Specifications are too loose or not scientifically justified
A specification says a product must contain 95 to 105% of the stated amount. When three batches fail, the spec is widened to 90 to 110% without study or justification. Specifications must be based on safety and efficacy data. Changing specs to make bad batches pass is a serious violation.
Training is not current or role-specific
An employee hasn't completed annual refresher training but continues to work. A person trained as an operator five years ago is now doing QA but has no QA training. Training records don't match actual job responsibilities. These are common violations.
Change control is bypassed
A supplier changes a raw material. A new procedure is implemented without review and validation. Equipment is upgraded without impact assessment. Any change affecting product quality must go through formal change control. Bypassing it is a serious violation.
GxP beyond pharma: food safety and other sectors
While GxP originated in pharmaceuticals, similar frameworks now govern other industries where product safety is critical to public health.
Food manufacturing operates under GMP rules for food products. These are similar in spirit to pharmaceutical GMP: facility design, equipment maintenance, training, and documentation. The focus is on preventing contamination and controlling hazards. In many countries, food GMP is combined with HACCP (Hazard Analysis and Critical Control Points), which adds systematic hazard identification and critical control point monitoring.
In Europe, food safety often follows FSSC 22000 (Food Safety System Certification), which integrates HACCP with ISO 22000 principles. FSSC 22000 requires hazard analysis, prerequisite programs, operational procedures, monitoring, corrective actions, and documentation. It is essentially the GxP equivalent for food.
Medical devices are governed by GMP regulations that vary by country but share the same GxP logic: design control, manufacturing procedures, testing, supplier management, training, and documentation. Some aspects are stricter than pharma GMP (design history files, traceability) while others are less stringent.
Cosmetics, supplements, and other categories have GMP requirements. In the EU, cosmetics GMP is mandatory. In the US, it is less strict for cosmetics than for drugs, but still required. Supplements in the US fall under dietary supplement GMP rules, which parallel drug GMP but with some differences.
The commonality across all these areas is the framework: documented procedures, trained personnel, equipment maintenance, testing, record keeping, and periodic audits. The details change based on the product and hazards, but the system logic is the same.
GxP and digital tools: electronic records and compliance
Historically, GxP was built around paper records. Batch records were printed and signed. Procedures were posted on bulletin boards. Training records were filed in cabinets. This approach is labour-intensive, error-prone, and slow. Regulators cannot see a problem until someone reports it.
Digital systems change this. Electronic batch records are entered in real time. Deviations trigger automatic notifications to supervisors. Non-conforming batches lock automatically until an investigation is complete. Training compliance is tracked automatically, with alerts when refresher training is due. This is faster, more accurate, and more transparent.
21 CFR Part 11 (US)
FDA regulation that governs electronic records and signatures. Requires that electronic systems be validated, that data cannot be altered without audit trail, that access is controlled, and that electronic signatures are legally binding.
Annex 11 (EU)
EU regulation covering computerised systems in a GMP environment. Requires validation, risk assessment, control of changes, security, backup and recovery, and audit trails.
Data integrity guidelines
FDA released data integrity guidance in 2015, updated periodically. Requires that data be ALCOA+: attributable, legible, contemporaneous, original, accurate, and complete. Electronic systems must prevent manipulation and provide audit trails.
Implementing digital tools requires validation. A system cannot simply be installed and used. It must be tested to show that it performs as designed, that data is secure, and that it does not introduce new risks. Validation includes user requirements documentation, design specifications, installation qualification, operational qualification, and performance qualification. This can take months for a complex system.
One caution: digital tools are powerful enablers, but they do not replace the system. A bad process documented electronically is still a bad process. A well-designed digital tool paired with a weak quality culture may improve tracking but will not prevent mistakes. The most effective digital implementations combine good tools with strong discipline, training, and oversight.