GAMP 5 for GxP Compliant

Computerized Systems
Flow……………………………………………………………………………………………
………………………………

 What is GAMP 5?

 Intended use of GAMP 5

 Historical developments in GAMP 5

 The concept behind the GAMP 5 second edition?

 Key Principles of GAMP 5 Guideline

o Key Principle 1: Product and Process Knowledge

o Key Principle 2: Lifecycle approach

 Concept:

 Project:

 Operations:

 Retirement:

o Key Principle 3: Scalable

o Key Principle 4: Quality Risk Management

o Key Principle 5: Leverage Supplier Activity

 GAMP 5 Categories

1 | Page
What is GAMP 5?
GAMP®5 is an acronym for the guideline Good Automated Manufacturing
Practices issue 5. The GAMP 5 guideline provides a risk-based approach to
designing, developing, and maintaining computerized systems in a GxP-
regulated environment.

The guideline is intended to be used by manufacturers, regulatory

authorities, and other stakeholders to ensure that computerized systems
in the pharmaceutical and medical device industries are validated and
operate as intended. The GAMP guideline is purely advisory and has no
legal obligation. Yet, the guideline is referenced by many regulatory
agencies worldwide.

Intended use of GAMP 5

GAMP 5 is intended to be used with other industry guidelines and
regulations, such as 21 CFR Part 11 (regulations for electronic records and
electronic signatures) and ISO 13485 (a standard for quality management
systems for medical devices). It is a widely accepted guide for designing,
developing, and maintaining computerized systems in the pharmaceutical
and medical device industries.

If you'd like to dive deeper into these key related regulations, don't
hesitate to get a full overview in our QMS in pharma guide.

Historical developments in GAMP 5

 The GAMP guideline was first published in 1995, prompted by the
initiative of a few UK-based pharmaceutical experts for better
management of GxP compliance. Eventually, they joined forces with
the International Society for Pharmaceutical Engineering (ISPE) to
publish the GAMP guideline.

 Many revisions in the guideline were published after the first issue in
1995. The last three revisions were GAMP4 (published in 2001),
GAMP5 (published in 2008), and GAMP 5 second edition (published
in 2022).

 The second edition of GAMP 5 is the most significant update in the

GAMP 5 guideline over the past 14 years .
2 | Page
The concept behind the GAMP 5 second
edition?
The initial GAMP 5 version (2008) was conceptually grounded on the
science-based risk management strategy mentioned in 21 st Century
regulatory GxP compliances and the ICH Q8, Q9 & Q10. It was also
designed to be compatible with IEEE standards, ISO 9000 and ISO 12207,
IT Infrastructure Library (ITIL), and other international standards such
as PIC/S Guidance Practice for Computerized Systems in
Regulated GxP Environments. Basically, GAMP 5 was already a very
pragmatic approach to designing, developing, and maintaining the GxP-
regulated computerized system.

The objective of publishing the GAMP 5 second edition (2022) was to

update the guidance in accordance with the latest technological upgrades,
contemporary practices, and the elimination of burdensome approaches.
Therefore, the GAMP 5 second edition also aligns with the new FDA
guidance "Computer Software Assurance for Production and Quality
System Software," published in September 2022, and ISO 14971 for
medical devices – application of risk management to medical devices and
agile approach for development and validation.

As a result, the GAMP 5 second edition focuses more on patient safety,

product quality, and data integrity over meeting compliance and avoiding
inspection findings, as in the case of the earlier edition. In addition, it
provides guiding principles for new technological advances such as
cybersecurity, data integrity, and the use of cloud computing in regulated
environments while including updated guidance on topics such as the use
of agile development methodologies and the application of risk
management principles to the validation of computerized systems.

To address the topics mentioned above, the GAMP 5 second edition

includes the following new appendices by considering novel technology,
new processes, new topics, and technical topics that require an update in
management, development, and operations guidelines:

 IT Infrastructure

 Critical Thinking

 Specifying Requirements

3 | Page
  Agile Software Development

 Software Tools

 Distributed Ledger Systems (Blockchain)

 Artificial Intelligence (AI) and Machine Learning (ML)

If you are already familiar with the structure of GAMP 5 and would like to
know more about the changes, updates, and new additions in the GAMP 5
2nd edition, go through our GAMP 5 2nd Edition Guideline. However, if you
are interested in the key principles on which the GAMP 5 guideline is
based, you can continue reading the article.

Key Principles of GAMP 5 Guideline

The five key principles act as guiding lights to implementing GAMP 5 in
practice.

These principles are as follows :

Key Principle 1: Product and Process Knowledge

The GAMP 5 promotes critical thinking to apply risk-based testing and

validation approaches. Having sound product and process knowledge is
crucial to differentiate between critical and non-critical aspects. If the
product and process knowledge are sound, then the GxP-regulated life
sciences industries can make risk-based decisions to ensure that the
system is "suitable for use." Additionally, GxP-regulated industries should
pay more attention to "those aspects crucial to patient safety, product
quality, and data integrity" while determining the system's suitability for
use .

Key Principle 2: Lifecycle approach

According to GAMP5, the GxP-regulated industries should follow a
systematic lifecycle-based approach for implementing new computerized
systems in their organizations. The lifecycle approach suggested in the
GAMP 5 guideline covers four stages in implementing a computerized
system, from conceptualization to its retirement.

4 | Page
Concept:
This is the conceptualization stage of the computerized system. Although
it is out of the GAMP scope for the computerized system suppliers, at this
stage, GxP-regulated life sciences manufacturers are considering possible
automation opportunities, listing the initial requirements, and searching
for suitable computerized system suppliers.

Project:
The project stage begins only after the manufacturers have identified
suitable computerized system suppliers to fulfill the requirements they
listed in the conceptualization stage. At the project stage, the
computerized system is designed, developed, deployed, and assessed for
GxP compliance in accordance with manufacturer requirements stated in
the conceptualization stage.

The older GAMP 5 edition recommended a V-model-based strategy, or a

waterfall-model-based approach, for performing the activities in the
Project stage. However, with the release of the GAMP 5 2 nd edition, these
older strategies are no longer the most convenient strategies for the GxP
assessment, especially when it comes to supporting the software
developed in an agile development environment.

The earlier approach is commonly referred to as the 'Linear Approach,'

whereas the new approach is referred to as the 'Agile Approach.' If you
are interested in knowing the detailed differences between these
approaches, please go through the article here; it will walk you through
the most significant differences in these models.

5 | Page
In present times, the Agile approach is an absolute necessity to
implementing computerized systems in the form of SaaS, Artificial
Intelligence models, or Machine Learning models because the purpose of
the SaaS-based computerized systems is to roll out the latest versions
faster to meet the changing needs of life sciences customers. Whereas in
the case of Artificial intelligence-based models, or Machine learning
models, the purpose is constantly updating the model with new
information to improve the model performance. Therefore, the agile
approach to assessing GxP compliance is a more practical and convenient
approach to assessing the GxP compliance of such computerized systems.

After the computerized system is successfully designed, developed,

deployed, and assessed using the most appropriate approach, the
manufacturers may proceed to the next lifecycle stage of Operations.

Operations:
In the operations stage, the computerized system is functional in day-to-
day operations. Generally, it is the most extended phase in a product's
lifecycle. The operation stage's main objective is to maintain the
computerized system in the validated state. The change control processes
and disaster recovery processes followed by the manufacturer play an
important role in ensuring that the computerized system remains in the
validated condition.

6 | Page
Retirement:
When the manufacturer needs to replace the old computerized system
with a new one or when the computerized system is no longer of any
practical use to the manufacturer, then manufacturers can proceed to the
Retirement stage of the computerized system lifecycle.

As can be deduced, at the retirement stage, the computerized system is

retired, decommissioned, or migrated. The retirement phase is not
officially defined in the GAMP, but the operations needed for retirement
are described in the operation stage. These activities may include crucial
aspects such as the retirement plan and data management after
retirement, etc.

According to the GAMP 5 guidelines, all the lifecycle stages of a

computerized system should be defined within the quality management
system (QMS). This allows for a consistent approach across all systems.

Key Principle 3: Scalable

Another guiding key principle of GAMP 5 is the scalability of the approach.
Therefore, the GAMP 5 advises looking for scalable approaches while
developing a computerized system. The Agile Approach stated in the
GAMP 5 2nd edition complements the key principle of scalability.

Therefore, as and when applicable, the manufacturers can opt for a more
appropriate development approach to support the scalability of the
computerized system. The scalability can be achieved with the help of a
Waterfall Model, the V model, the Agile Model, or even a reduced model or
more extended model based on the scale or scope of the system that is
being validated .

7 | Page
Key Principle 4: Quality Risk Management
According to the GAMP 5 2 nd edition, manufacturers must emphasize more
on patient safety, product quality, and data integrity. Therefore, the
computerized systems' quality attributes that directly or indirectly impact
patient safety, product quality, and data integrity must be evaluated
thoroughly with more detailed attention to causes and effects.

The fourth key principle of Quality Risk Management plays a vital role as a
deciding factor in determining which computerized system tests should be
prioritized over the other. The risk-based prioritization helps spend more
time and effort on critical aspects of quality while eliminating the
unnecessary expenditure of time and resources on the non-critical aspects
of the quality.

Another important change in GAMP 5 2 nd edition states that testing should

be limited to GxP cases based on risk assessment. According to the GAMP
5 2nd edition, more testing is emphasized over more documentation. For
example, adopting an exception-reporting approach to recording results,
according to which a simple "Pass" recording is enough if the system is
working as intended. In other words, there is no need to capture excessive
screenshots as evidence in most of the tests. Only those tests that are
critical may require additional screenshots as evidence. Therefore, while
testing, focusing on unexpected issues to find the root cause is prioritized
to apply the proper corrective action. In addition, the guidance mentions
8 | Page
that looking for minor errors in the documentation gives little value and
poses a low risk to patient safety, product quality, and data integrity.
Hence, it is better to focus on other issues of greater significance.

In a nutshell, Quality Risk Management enables companies to focus on

critical aspects of the information system and to develop controls to
mitigate the potential risks associated with patient safety, product quality,
and data integrity.

Key Principle 5: Leverage Supplier Activity

The guideline also proposes to leverage supplier expertise and activity

support during the Project stage in the computerized system's lifecycle for
more thoughtful and faster adoption of the computerized system. The
validation packages from suppliers can be effectively leveraged to satisfy
the GxP verification requirements to avoid duplication. Therefore, the
validation packages act as an additional layer of assurance. Additionally,
the suppliers can assist the manufacturer with the maintenance, testing,
technical support, collection of requirements, and configuration of the
information system.

GAMP 5 Categories
The GAMP 5 guidance provides a risk-based approach for classifying
software according to the risk involved in GxP and Functional compliance.
Category 2, associated with the firmware in GAMP 4, is removed from
GAMP 5. The GAMP 5 categories defined in the GAMP 5 2nd edition are the
same as its predecessor. The classification system is as follows:

Category
Software Type Activity Level

1 Infrastructure  Not subject to specific functional

Verification
(OS, DB, MW,
etc.)  Features are functionally tested and
challenged indirectly during the
testing of the application.

 Identity and version numbers of

layered software and operating
systems should be documented and

9 | Page
 verified during installation.

3 Non-configurable  Verification of the installation

Software
 Acceptance testing and "fitness for
use."

 Testing comprises risk assessment,

supplier assessment, acceptance
testing, and "fitness for use."

4 Configurable Testing comprises:

Software
 Correct installation and
configuration

 Functional testing because of risk

analysis or the supplier assessment

 Acceptance testing and "fitness for

use" compared to requirements

5 Customizable Testing comprises:

Software
 Correct installation

 Functional & Design Specification

 Functional testing based on risk

assessment and supplier
assessment

 Acceptance testing and "fitness for

use" compared to requirements.

As per this classification system, the risk associated with each category
type increases sequentially from Category 1 to Category 5. The more the
risk associated with the category, the more rigorous Computer System
Validation (CSV) approach is needed for the system. The higher the GAMP
5 category, the higher activity is needed to be performed at the
specification and validation steps of the project phase. The risk-based
categories enable manufacturers to make more rational decisions
throughout the computerized system lifecycle.

Documentation
10 | P a g e
While all the recommendations made in the GAMP 5 guideline are non-
binding to the GxP-regulated industries, they are crucial to ensure patient
safety, product quality, and data integrity. The recommendations in the
GAMP 5 guideline are coherent with the current GxP requirements defined
by the EU & US regulatory agencies. Therefore, it is the most
comprehensive guideline for validating the computerized systems to meet
GxP requirements. Furthermore, the GAMP 5 revisions ensure alignment
with the ever-evolving technological advances in the software
development processes.

The approach proposed in the GAMP 5 guidelines provides a practical and

convenient pathway for life sciences manufacturers to work hand in hand
with the computerized system suppliers, which results in a reduced
testing burden on the shoulders of the manufacturers operating in the
GxP-regulated industries.

The correct GAMP 5 application allows manufacturers to significantly

reduce the time and costs necessary for validating and maintaining their
(compliant) systems while ensuring patient safety, product quality, and
data integrity. Additionally, it prepares manufacturers to face government
audits and inspections more efficiently.

11 | P a g e