GAMP 5 for GxP Compliant Computerized Systems

What is GAMP 5?

GAMP®5 is an acronym for the guideline Good Automated Manufacturing Practices issue 5. The GAMP 5 guideline provides a risk-based approach to designing, developing, and maintaining computerized systems in a GxP-regulated environment. The guideline is intended to be used by manufacturers, regulatory authorities, and other stakeholders to ensure that computerized systems in the pharmaceutical and medical device industries are validated and operate as intended. The GAMP guideline is purely advisory and has no legal obligation. Yet, the guideline is referenced by many regulatory agencies worldwide.

Intended use of GAMP 5

GAMP 5 is intended to be used with other industry guidelines and regulations, such as 21 CFR Part 11 (regulations for electronic records and electronic signatures) and ISO 13485 (a standard for quality management systems for medical devices). It is a widely accepted guide for designing, developing, and maintaining computerized systems in the pharmaceutical and medical device industries.

Historical developments in GAMP 5

The GAMP guideline was first published in 1995, prompted by the initiative of a few UK-based pharmaceutical experts for better management of GxP compliance. Eventually, they joined forces with the International Society for Pharmaceutical Engineering (ISPE) to publish the GAMP guideline.
Many revisions in the guideline were published after the first issue in 1995. The last three revisions were GAMP4 (published in 2001), GAMP5 (published in 2008), and GAMP 5 second edition (published in 2022).
The second edition of GAMP 5 is the most significant update in the GAMP 5 guideline over the past 14 years.

The concept behind the GAMP 5 second edition?

The initial GAMP 5 version (2008) was conceptually grounded on the science-based risk management strategy mentioned in 21^stCentury regulatory GxP compliances and the ICH Q8, Q9 & Q10. It was also designed to be compatible with IEEE standards, ISO 9000 and ISO 12207, IT Infrastructure Library (ITIL), and other international standards such as PIC/S Guidance Practice for Computerized Systems in Regulated GxP Environments. Basically, GAMP 5 was already a very pragmatic approach to designing, developing, and maintaining the GxP-regulated computerized system.

The objective of publishing the GAMP 5 second edition (2022) was to update the guidance in accordance with the latest technological upgrades, contemporary practices, and the elimination of burdensome approaches. Therefore, the GAMP 5 second edition also aligns with the new FDA guidance "Computer Software Assurance for Production and Quality System Software," published in September 2022, and ISO 14971 for medical devices – application of risk management to medical devices and agile approach for development and validation.

As a result, the GAMP 5 second edition focuses more on patient safety, product quality, and data integrity over meeting compliance and avoiding inspection findings, as in the case of the earlier edition. In addition, it provides guiding principles for new technological advances such as cybersecurity, data integrity, and the use of cloud computing in regulated environments while including updated guidance on topics such as the use of agile development methodologies and the application of risk management principles to the validation of computerized systems.

To address the topics mentioned above, the GAMP 5 second edition includes the following new appendices by considering novel technology, new processes, new topics, and technical topics that require an update in management, development, and operations guidelines:

IT Infrastructure
Critical Thinking
Specifying Requirements
Agile Software Development
Software Tools
Distributed Ledger Systems (Blockchain)
Artificial Intelligence (AI) and Machine Learning (ML)

If you are already familiar with the structure of GAMP 5 and would like to know more about the changes, updates, and new additions in the GAMP 5 2nd edition, go through our GAMP 5 2nd Edition Guideline. However, if you are interested in the key principles on which the GAMP 5 guideline is based, you can continue reading the article.

Key Principles of GAMP 5 Guideline

The five key principles act as guiding lights to implementing GAMP 5 in practice. These principles are as follows:

Key Principle 1: Product and Process Knowledge

The GAMP 5 promotes critical thinking to apply risk-based testing and validation approaches. Having sound product and process knowledge is crucial to differentiate between critical and non-critical aspects. If the product and process knowledge are sound, then the GxP-regulated life sciences industries can make risk-based decisions to ensure that the system is "suitable for use." Additionally, GxP-regulated industries should pay more attention to "those aspects crucial to patient safety, product quality, and data integrity" while determining the system's suitability for use.

Key Principle 2: Lifecycle approach

According to GAMP5, the GxP-regulated industries should follow a systematic lifecycle-based approach for implementing new computerized systems in their organizations. The lifecycle approach suggested in the GAMP 5 guideline covers four stages in implementing a computerized system, from conceptualization to its retirement.

Concept:

This is the conceptualization stage of the computerized system. Although it is out of the GAMP scope for the computerized system suppliers, at this stage, GxP-regulated life sciences manufacturers are considering possible automation opportunities, listing the initial requirements, and searching for suitable computerized system suppliers.

Project:

The project stage begins only after the manufacturers have identified suitable computerized system suppliers to fulfill the requirements they listed in the conceptualization stage. At the project stage, the computerized system is designed, developed, deployed, and assessed for GxP compliance in accordance with manufacturer requirements stated in the conceptualization stage.

The older GAMP 5 edition recommended a V-model-based strategy, or a waterfall-model-based approach, for performing the activities in the Project stage. However, with the release of the GAMP 5 2^nd edition, these older strategies are no longer the most convenient strategies for the GxP assessment, especially when it comes to supporting the software developed in an agile development environment. The earlier approach is commonly referred to as the 'Linear Approach,' whereas the new approach is referred to as the 'Agile Approach.' If you are interested in knowing the detailed differences between these approaches, please go through the article here; it will walk you through the most significant differences in these models.

Infographic that shows the Agile Model following GAMP 5 2nd edition recommendations | Scilife

In present times, the Agile approach is an absolute necessity to implementing computerized systems in the form of SaaS, Artificial Intelligence models, or Machine Learning models because the purpose of the SaaS-based computerized systems is to roll out the latest versions faster to meet the changing needs of life sciences customers. Whereas in the case of Artificial intelligence-based models, or Machine learning models, the purpose is constantly updating the model with new information to improve the model performance. Therefore, the agile approach to assessing GxP compliance is a more practical and convenient approach to assessing the GxP compliance of such computerized systems.

After the computerized system is successfully designed, developed, deployed, and assessed using the most appropriate approach, the manufacturers may proceed to the next lifecycle stage of Operations.

Operations:

In the operations stage, the computerized system is functional in day-to-day operations. Generally, it is the most extended phase in a product's lifecycle. The operation stage's main objective is to maintain the computerized system in the validated state. The change control processes and disaster recovery processes followed by the manufacturer play an important role in ensuring that the computerized system remains in the validated condition.

Retirement:

When the manufacturer needs to replace the old computerized system with a new one or when the computerized system is no longer of any practical use to the manufacturer, then manufacturers can proceed to the Retirement stage of the computerized system lifecycle.

As can be deduced, at the retirement stage, the computerized system is retired, decommissioned, or migrated. The retirement phase is not officially defined in the GAMP, but the operations needed for retirement are described in the operation stage. These activities may include crucial aspects such as the retirement plan and data management after retirement, etc.

According to the GAMP 5 guidelines, all the lifecycle stages of a computerized system should be defined within the quality management system (QMS). This allows for a consistent approach across all systems.

Key Principle 3: Scalable

Another guiding key principle of GAMP 5 is the scalability of the approach. Therefore, the GAMP 5 advises looking for scalable approaches while developing a computerized system. The Agile Approach stated in the GAMP 5 2^nd edition complements the key principle of scalability.

Therefore, as and when applicable, the manufacturers can opt for a more appropriate development approach to support the scalability of the computerized system. The scalability can be achieved with the help of a Waterfall Model, the V model, the Agile Model, or even a reduced model or more extended model based on the scale or scope of the system that is being validated.

Infographic that shows the Waterfall Model, an approach recommended in GAMP 5 2nd edition guidelines | Scilife

Key Principle 4: Quality Risk Management

According to the GAMP 5 2^nd edition, manufacturers must emphasize more on patient safety, product quality, and data integrity. Therefore, the computerized systems' quality attributes that directly or indirectly impact patient safety, product quality, and data integrity must be evaluated thoroughly with more detailed attention to causes and effects.

The fourth key principle of Quality Risk Management plays a vital role as a deciding factor in determining which computerized system tests should be prioritized over the other. The risk-based prioritization helps spend more time and effort on critical aspects of quality while eliminating the unnecessary expenditure of time and resources on the non-critical aspects of the quality.

Another important change in GAMP 5 2^nd edition states that testing should be limited to GxP cases based on risk assessment. According to the GAMP 5 2^nd edition, more testing is emphasized over more documentation. For example, adopting an exception-reporting approach to recording results, according to which a simple "Pass" recording is enough if the system is working as intended. In other words, there is no need to capture excessive screenshots as evidence in most of the tests. Only those tests that are critical may require additional screenshots as evidence. Therefore, while testing, focusing on unexpected issues to find the root cause is prioritized to apply the proper corrective action. In addition, the guidance mentions that looking for minor errors in the documentation gives little value and poses a low risk to patient safety, product quality, and data integrity. Hence, it is better to focus on other issues of greater significance.

In a nutshell, Quality Risk Management enables companies to focus on critical aspects of the information system and to develop controls to mitigate the potential risks associated with patient safety, product quality, and data integrity.

Key Principle 5: Leverage Supplier Activity

The guideline also proposes to leverage supplier expertise and activity support during the Project stage in the computerized system's lifecycle for more thoughtful and faster adoption of the computerized system. The validation packages from suppliers can be effectively leveraged to satisfy the GxP verification requirements to avoid duplication. Therefore, the validation packages act as an additional layer of assurance. Additionally, the suppliers can assist the manufacturer with the maintenance, testing, technical support, collection of requirements, and configuration of the information system.

GAMP 5 Categories

The GAMP 5 guidance provides a risk-based approach for classifying software according to the risk involved in GxP and Functional compliance. Category 2, associated with the firmware in GAMP 4, is removed from GAMP 5. The GAMP 5 categories defined in the GAMP 5 2nd edition are the same as its predecessor. The classification system is as follows:

Category	Software Type	Activity Level
1	Infrastructure (OS, DB, MW, etc.)	Not subject to specific functional Verification Features are functionally tested and challenged indirectly during the testing of the application. Identity and version numbers of layered software and operating systems should be documented and verified during installation.
3	Non-configurable Software	Verification of the installation Acceptance testing and "fitness for use." Testing comprises risk assessment, supplier assessment, acceptance testing, and "fitness for use."
4	Configurable Software	Testing comprises: Correct installation and configuration Functional testing because of risk analysis or the supplier assessment Acceptance testing and "fitness for use" compared to requirements
5	Customizable Software	Testing comprises: Correct installation Functional & Design Specification Functional testing based on risk assessment and supplier assessment Acceptance testing and "fitness for use" compared to requirements.

As per this classification system, the risk associated with each category type increases sequentially from Category 1 to Category 5. The more the risk associated with the category, the more rigorous Computer System Validation (CSV) approach is needed for the system. The higher the GAMP 5 category, the higher activity is needed to be performed at the specification and validation steps of the project phase. The risk-based categories enable manufacturers to make more rational decisions throughout the computerized system lifecycle.

Conclusion

While all the recommendations made in the GAMP 5 guideline are non-binding to the GxP-regulated industries, they are crucial to ensure patient safety, product quality, and data integrity. The recommendations in the GAMP 5 guideline are coherent with the current GxP requirements defined by the EU & US regulatory agencies. Therefore, it is the most comprehensive guideline for validating the computerized systems to meet GxP requirements. Furthermore, the GAMP 5 revisions ensure alignment with the ever-evolving technological advances in the software development processes.

The approach proposed in the GAMP 5 guidelines provides a practical and convenient pathway for life sciences manufacturers to work hand in hand with the computerized system suppliers, which results in a reduced testing burden on the shoulders of the manufacturers operating in the GxP-regulated industries.

The correct GAMP 5 application allows manufacturers to significantly reduce the time and costs necessary for validating and maintaining their (compliant) systems while ensuring patient safety, product quality, and data integrity. Additionally, it prepares manufacturers to face government audits and inspections more efficiently.

Find out how Scilife GAMP 5 validation approach can help you stay fully compliant with 21 CFR Part 11 and ISO 13485!