Comparatively Speaking: cGMP vs. ISO

Tony O'Lenick draws on the expertise of Joe Albanese, technical marketing manager of personal care for 3V Inc., in this discussion of the differences between current Good Manufacturing Practices (cGMP) compliance and International Standards Organization (ISO) certification.

There was a time when cGMP and ISO were further apart. The industry used to say that having cGMP compliance was more than half way to obtaining ISO certification. However, having ISO certification was nowhere near meeting the requirements for the more stringent cGMP guidelines. This was because cGMP covered not only good manufacturing practices, but also all related activities such as: processing equipment and procedures, cleanliness, packaging, holding/storing raw ingredients, testing, quality control, training of personnel, etc.—specifically for the pharmaceuticals industry.

The later ISO certification covered most other aspects of any company’s operations such as finances, marketing, procurement, sales, etc., regardless of the type of business and with comparatively little regard for manufacturing operations. Of course, many companies do not actually manufacture anything. Today, this author believes that both cGMP and ISO incorporate certain key elements from one another. Following are some of the other similarities and differences between the two.

The intent of both cGMP and ISO is to establish “quality assurance” systems. Throughout the years, the primary purpose and intent of these programs remains unchanged. Both require written policy manuals, procedures, maintenance of records and documents to assure products meet their design specifications. Both also use internal and external audits as periodic checks for conformity to guidelines.

It is important to note that quality assurance (QA) is not the same as quality control (QC). The confidence that products will consistently meet the highest standards is provided by an overall QA program. In cGMPs, QC is one essential element of the total QA program. The QC program details the actual steps taken to assure quality. QC includes setting product specifications and providing analytical and other test methods, as well as establishing sampling frequency and procedures so that only quality products reach the marketplace.

The major differences also remain unchanged. First, cGMP compliance is mandatory and required by law while ISO certification is completely voluntary. The cGMP guidelines for pharmaceutical, food, drug and cosmetics are compliance programs mandated and regulated by the US Food and Drug Administration (FDA). It should be noted that while the cosmetics and personal care industry considers itself self-regulated, most companies have implemented cGMPs; also, the FDA does have the ultimate authority.

Although Congress passed the GMP Act in 1965, cGMP Guidelines did not go into effect until 1978. These have the full force of the law behind them, giving the FDA the authority to conduct on-site inspections (audits), issue warning letters publicly, and enforce product recalls and seizures of adulterated products, etc. The Code of Federal Regulations, i.e. the Food, Drug and Cosmetic Act 21 CFR, Parts 210 and 211, set forth the minimum standards required to guarantee the safety, identity, strength, purity and quality to protect consumers from adulterated products from entering the market. The sale of products that are consistently both safe and effective is the aim to protect public health.

In contrast, ISO 9001 did not come along until 1987 as a voluntary program for all industries. ISO quality standards were designed to assure customer satisfaction and not necessarily to protect consumers. There is no law requiring ISO certification. There are many consulting companies for hire to help companies obtain ISO certification, as well as companies that are approved to audit and award ISO certification. In 2003, a newer ISO (13485) came out to cover the design and manufacture of medical devices.

The "c" in cGMP stands for current and indicates that GMPs are a dynamic set of guidelines that are subject to change in order to keep current with advances in science, technology and practices. In fact, the FDA released updated cGMP guidelines in 1997. Then in 2004, the FDA issued the “Guidance for Industry—Quality System Approach to Pharmaceutical cGMP." This guidance includes things one “should” do to reach compliance with the updated cGMP requirements. These “should-dos” are suggestions or recommendations and are not necessarily required.

Some of these suggestions include certain aspects from the ISO 9001 "Quality Management Systems" document. This brought the two separate quality systems (cGMP and ISO) closer together. Now if one is cGMP compliant, it is even easier to achieve ISO certification. With the updated cGMP in place, some feel that companies are are already 80% towards the goal of ISO certification. In order to determine exactly how much further a company must go to reach ISO or cGMP, detailed side-by-side gap analysis should be conducted to compare these standards with the program the company already has in place. Software programs are available to help accomplish this. In the end, however, some consider it unlikely that there will ever be a total harmonization of both cGMP and ISO requirements.

How might cGMP and ISO requirements impact formulators? By understanding the requirements for product specifications up front, especially in relation to QC and QA, formulators can build formulas that take the methods by which products will be scaled up and processed into account, thus avoiding potential issues of noncompliance that could arise in later stages.

More in Regional