
In GxP-regulated sectors like pharma, biotech, and medtech, computerized systems play a key role in ensuring patient safety, data traceability, regulatory compliance, and integrity. Many regulations and guidelines have been developed to validate such systems’ fitness and compliance, GAMP 5 being one of the most well-renowned among regulatory bodies.
What are the GAMP 5 guidelines?Let’s start by addressing the key question: What are the GAMP 5 guidelines? GAMP 5 is an acronym for the guideline Good Automated Manufacturing Practices issue 5, and has been published by the ISPE (International Society for Pharmaceutical Engineering). Although it is purely advisory and has no legal obligation, it is referenced and respected by many regulatory agencies worldwide, including the FDA.
The GAMP 5 guideline is applicable to computerized systems used in regulated environments. It is intended to be used by regulated companies, regulatory authorities, suppliers, and other stakeholders, providing a risk-based approach to ensure that computerized systems in the pharmaceutical and medical device industries are validated and operate as intended.
Importance of GAMP 5: What is GAMP 5 testing of GxP systems?
GAMP 5 is intended to be used with other industry guidelines, standards and GxP regulations, including Good Manufacturing Practice (GMP), Good Clinical Practice (GCP), Good Laboratory Practice (GLP), Good Distribution Practice (GDP), Good Pharmacovigilance Practices (GVP), Medical Device Regulations, 21 CFR Part 11 (regulations for electronic records and electronic signatures), EU GMP Annex 11 and other ISO standards.
It is a widely accepted guide for designing, developing, and maintaining computerized systems in a GxP-regulated environment.
The importance of GAMP 5 in GxP environments lies in five key outcomes:
- Safeguarding patient safety, product quality, and data integrity
- Achieving fit-for-intended use and compliant computerized systems
- Providing a cost-effective and efficient framework
- Facilitating regulatory interpretation and promoting common industry practices
- Supporting innovation and adapting to evolving technologies
If you'd like to dive deeper into these key related regulations, don't hesitate to get a full overview in our QMS in pharma guide.
Historical developments in GAMP 5
An important point in understanding what the GAMP 5 guidelines are is knowing the history behind the guidelines’ launch and revisions:
- GAMP itself was founded in 1991 in the United Kingdom to deal with the evolving US FDA expectations on the management and controls of automated systems required for Good Manufacturing Practices compliance.
- In 1994, the first GAMP guideline was drafted and shared within industry circles, prompted by the initiative of a few UK-based pharmaceutical experts for better management of GxP compliance.
- Then, the first formal GAMP guideline was published in 1995, by GAMP, under the auspices of the ISPE, marking the beginning of a formal partnership between GAMP and ISPE.
- Many revisions to the guideline were published after the first issue in 1995. The last three revisions were GAMP4 (published in 2001), GAMP5 (published in 2008).
- In 2017, CoP leadership began a formal review of GAMP 5 to determine whether it still met its objectives and to focus its efforts on areas where there is most need and benefit.
- Finally, the second edition of GAMP 5 was published in 2022. This second edition of GAMP 5 is the most significant update in the GAMP 5 guideline over the past 14 years.
The concept behind the GAMP 5 second edition
The initial GAMP 5 version (2008) was conceptually grounded on the science-based risk management strategy mentioned in 21st Century regulatory GxP compliances and the ICH Q8, Q9 & Q10. It was designed to be compatible with IEEE standards, ISO 9000 and ISO 12207, IT Infrastructure Library (ITIL), and other international standards such as PIC/S Guidance Practice for Computerized Systems in Regulated GxP Environments.
The objective of GAMP 5 version 2 (2022) was to update the guidance in accordance with the latest technological upgrades, aligning with the new FDA guidance "Computer Software Assurance for Production and Quality System Software," (September 2022), and ISO 14971 for medical devices – application of risk management to medical devices.
As a result, the GAMP 5 second edition focuses more on patient safety, product quality, and data integrity over meeting compliance and avoiding inspection findings, as in the case of the earlier edition. It offers updated guidance on cybersecurity, data integrity, and cloud computing, while also addressing agile development and risk-based validation of computerized systems.
To address the topics mentioned above, the GAMP 5 second edition includes the following new appendices by considering new tech, processes, topics, and technical topics that require an update in management, development, and operations guidelines:
- IT infrastructure
- Critical thinking
- Specifying requirements
- Agile software development
- Software tools
- Distributed Ledger Systems (Blockchain)
- Artificial Intelligence (AI) and Machine Learning (ML)
GAMP 5 V-Model
GAMP 5’s approach can be summed up by the V-model diagram, which compares the system specifications created during the verification process testing. A system’s complexity depends on the types of specifications it requires.
For instance, configured products are tested to verify their requirements, functionality, and configuration specifications. Instead, for commercial off-the-shelf software, functional and configuration specifications are not necessary, so the test scope would be reduced.
Verification ensures the system works as intended by testing it against defined requirements and specifications. The test scripts trace back to them, providing documented proof when they are successfully met.
However, traditional “Linear approaches” like the V-model or waterfall may not suit agile environments. That’s why the second edition of GAMP 5 introduces the agile model in GAMP 5 to support faster development. More on that below.
Key principles of GAMP 5 guideline
The following five key principles act as guiding lights to implementing GAMP 5 in practice:
Key principle 1: product and process knowledge
The GAMP 5 promotes critical thinking to apply risk-based testing and validation based on product and process knowledge. This enables the GxP-regulated life sciences industries to make risk-based decisions to ensure that the system is "suitable for use", focusing on aspects crucial to patient safety, product quality, and data integrity.
Key principle 2: GAMP 5 validation lifecycle explained
According to GAMP5, the GxP-regulated industries should follow a four-stage systematic lifecycle-based approach for implementing new computerized systems. Continuing on, you will find the GAMP 5 validation lifecycle explained:
Concept:
Although it is out of the GAMP scope for the computerized system suppliers, at this conceptualization stage, manufacturers are considering automation opportunities, listing initial requirements, and searching for suitable computerized system suppliers.
Project:
Once the manufacturers have identified suitable suppliers, the computerized system is designed, developed, deployed, and assessed for GxP compliance in accordance with the manufacturer's requirements stated in the conceptualization stage.
For this stage, the older GAMP 5 edition recommended a V-model-based strategy or a waterfall-model-based approach. However, with the GAMP 5 2nd edition, these older strategies are no longer the most convenient strategies for the GxP assessment, especially when it comes to supporting the software developed in the Agile model in GAMP 5.
In present times, the Agile approach is crucial to implementing computerized systems like SaaS, AI models, or Machine Learning. This enables faster rollouts to meet the evolving needs of life sciences customers in the case of SaaS, and constantly updating and improving performance in the case of AI and Machine Learning. Meaning that the Agile approach is more practical and convenient for assessing GxP compliance.
Once the computerized system is successfully designed, developed, deployed, and assessed, the manufacturers may proceed to the next lifecycle stage.
Operations:
During this phase, the computerized system is used in day-to-day operations—typically the longest phase in a product's lifecycle. The main objective here is to maintain the computerized system in a validated state, supported by the manufacturer’s change control and disaster recovery processes.
Retirement:
This stage happens when the manufacturer needs to replace the old computerized system with a new one. As can be deduced, at the retirement stage, the computerized system is retired, decommissioned, or migrated.
This phase is not officially defined in the GAMP, but the arrangements needed for retirement, such as data management or retirement plan, are described in the operation stage. According to the GAMP 5 guidelines, all the lifecycle stages of a computerized system should be defined within the quality management system (QMS).
Key principle 3: scalable
GAMP 5 encourages scalable approaches when developing computerized systems. The Agile model in GAMP 5, introduced in the 2nd edition, complements this principle by supporting flexibility and adaptability. Scalability can be achieved by using a Waterfall, V, or Agile model, or even a reduced or more extended model based on the system’s scope and scale.
Key principle 4: quality risk management
Manufacturers must prioritize patient safety, product quality, and data integrity. As such, computerized system attributes that directly or indirectly impact these areas should be thoroughly evaluated, with careful attention to their causes and effects.
Quality Risk Management plays a vital role in determining which tests should be prioritized over others. The risk-based prioritization helps spend more time and effort on critical aspects over non-critical ones.
GAMP 5 2nd edition promotes a GxP risk-based testing approach that emphasizes testing over excessive documentation. For instance, it supports exception-based reporting, where a simple "Pass" is sufficient when the system works as intended, eliminating the need for unnecessary screenshots. Only high-risk or critical tests may require additional evidence, like screenshots.
The focus is on identifying and investigating unexpected issues to enable effective corrective actions. The guidance also notes that minor documentation errors offer little value and pose low risk to patient safety, product quality, or data integrity. Therefore, attention should shift to higher-impact issues that truly affect system performance and compliance.
Key Principle 5: leverage supplier activity
GAMP 5 also encourages leveraging supplier expertise during the project stage of a computerized system’s lifecycle to enable faster, more effective adoption. Supplier-provided validation packages can help meet GxP verification requirements, reducing duplication and serving as an additional layer of assurance.
GAMP 5 categories
GAMP 5 provides a risk-based approach to classifying software based on its impact on GxP and functional compliance. Category 2, associated with the firmware in GAMP 4, is removed from GAMP 5. The GAMP 5 categories defined in the 2nd edition are the same as its predecessor.
GAMP 5 category 1
Software type:
Infrastructure (OS, DB, MW, etc.)
Activity level:
- Not subject to specific functional Verification
- Features are functionally tested and challenged indirectly during the testing of the application.
- Identity and version numbers of layered software and operating systems should be documented and verified during installation.
GAMP 5 category 3
Software type:
Non-configurable software
Activity level:
- Verification of the installation
- Acceptance testing and "fitness for use."
- Testing comprises risk assessment, supplier assessment, acceptance testing, and "fitness for use."
GAMP 5 category 4
Software type:
Configurable Software
Activity level:
Testing comprises:
- Correct installation and configuration
- Functional testing is conducted because of risk analysis or the supplier assessment
- Acceptance testing and "fitness for use" compared to requirements
GAMP 5 category 5
Software type:
Customizable software
Activity level:
Testing comprises:
- Correct installation
- Functional & Design Specification
- Functional testing based on risk assessment and supplier assessment
- Acceptance testing and "fitness for use" compared to requirements.
The risk associated with each category increases sequentially from category 1 to 5. The more the risk associated with the category, the more rigorous Computer System Validation (CSV) approach is needed.
The higher the GAMP 5 category, the higher the activity needed to be performed at the specification and validation steps of the project phase. This approach enables manufacturers to make more rational decisions throughout the system’s lifecycle.
The 10 deadly sins of GAMP implementation
During one of our previous Scilife Smart Quality Summits, we welcomed Angela Bazigos, a renowned leader in compliance consulting, to share her practical tips for integrating GAMP 5 into everyday operations.
She also highlighted the “10 Deadly Sins of GAMP”, originally presented by Dr. Snipes from the FDA Enforcement Office at the 2009 SQA Annual Conference, insights that continue to remain relevant today.
Here is a list of top sins that he highlighted for companies to watch out for:
- No requirements
- No record of software version used
- Failure to archive all versions of design spec
- Lack of records of testing and input and output of testing
- Lack of forward and backward tracing (TM)
- Lack of defect tracking during testing
- No QAU (no check on trustworthiness of S/W)
- No re-evaluation or retesting when hardware is added
- Lack of hardware qualification (refers to infrastructure as well as app related software)
- Lack of adequate security
Throughtout the session, Angela also gave her own tips and tricks from her many years of experience such as using the same SOP for GxP and non-GxP systems:
“I have seen companies with two different SOPs for GxP systems vs non-GxP systems. From my experience, I have found that it’s more efficient to have a single SOP to just reduce the amount of information that you need in the non-GXP systems.”
Angel Bazigos, Leader Compliance Consulting
She went on to explain that validation is essentially “good software engineering with documentation on steroids.” The purpose is to deliberately slow things down, because these systems may be responsible for critical functions like keeping someone’s heart beating or helping a newborn breathe.
And if you have different SOPs, people can run the wrong SOPs. For example, she worked with a large company who that 150 HPLC instruments and 150 agilents. During an IT upgrade, the team mistakenly followed the non-GxP SOP while applying a patch. As a result, half of the systems crashed.
The organization then had to initiate CAPAs, implement change controls, and go through rounds of testing and retesting to restore compliance and functionality.
If you’d like to get more of her GAMP 5 best practices, don’t miss her webinar below: GAMP: From theory to action in compliance management.
5 Frequently Asked Questions about the GAMP 5 guideline
Continuing on, we answer the most commonly asked questions about GAMP 5.
What is the difference between GxP and GAMP?
GxP and GAMP are different albeit related concepts, GxP stands for Good (x) Practice and is an umbrella term for several quality guidelines and regulations. The x represents different areas such as manufacturing (GMP), laboratory (GLP), and clinical (GCP). GAMP on the other hand means Good Automated Manufacturing Practices, and is a guideline focused on validating computerized systems within GxP and for GMP-regulated industries
What is GMP and GAMP?
GMP and GAMP are QA frameworks, each addressing different aspects of manufacturing. GMP (Good Manufacturing Practices) is a set of guidelines to guide manufacturers to create and control products consistent with quality standards. GAMP (Good Automated Manufacturing Practice) instead, focuses on the validation of computer systems used in GxP manufacturing.
What is GAMP 5 testing of GxP systems?
GAMP 5 testing of GxP systems are validation checks conducted according to GAMP 5, ensuring that computerized systems used in GxP are fit for their intended use and compliant with regulations throughout its entire lifecycle, from concept to retirement.
What are the 5s rules in pharma?
The 5S rules in pharma come from Japanese methodology. They are based on the Sort, Set in Order, Shine, Standardize, and Sustain principles, and its purpose is to optimize and organize work environments to promote efficiency, cleanliness, and compliance with quality standards.
What are the key concepts of GAMP 5?
The key concepts of GAMP 5 include product and process understanding, a lifecycle approach within a Quality Management System (QMS), scalable lifecycle activities, science-based quality risk management, and leveraging supplier involvement
Key takeaways
- GAMP 5 provides a globally respected, risk-based framework for validating computerized systems in GxP-regulated industries like pharma and medtech.
- The 2nd edition (2022) modernizes guidance with updates on cybersecurity, AI/ML, cloud computing, and Agile development.
- GAMP 5 is built on five core principles, including lifecycle thinking, critical thinking, risk-based validation, scalability, and leveraging supplier input, to align compliance with real-world operations.
- GAMP 5’s software categories provide a flexible way to scale validation efforts based on system complexity to help teams stay compliant without slowing innovation.
Conclusion
While GAMP 5 guidelines are non-legally binding, they are crucial to ensure patient safety, product quality, and data integrity. The guideline’s recommendations are coherent with current GxP requirements defined by the EU & US regulatory agencies, making GAMP 5 the most comprehensive guideline for computerized systems validation according to GxP values. Plus, its regular revisions ensure alignment with the rapidly evolving landscape of software innovation.
The GAMP 5 practical approach enables life sciences manufacturers to work hand in hand with the computerized system suppliers, noticeably reducing testing burden. Also, when applied correctly, GAMP 5 allows manufacturers to reduce validation and compliance maintenance time and costs, preparing manufacturers to face government audits and inspections efficiently.