未分類

Commentary on GAMP 5: Evolution and Current State

Commentary on GAMP 5: Evolution and Current State

Historical Context and Development

GAMP 5 was first published on February 28, 2008, marking a significant revision six years after the release of GAMP 4 in 2001. This initial edition was designed to meet current industry standards and the latest regulatory requirements at that time. However, in many ways, GAMP appeared to be catching up with pharmaceutical industry Computer System Validation (CSV) Standard Operating Procedures (SOPs), which had already evolved considerably.

Paradigm Shift from GAMP 4

GAMP 4 was designed with the assumption that systems would be built from scratch. However, in practice, most implementations involve commercial off-the-shelf (COTS) products that can be configured through parameter settings. Furthermore, GAMP 4 was primarily oriented toward factory automation systems and did not adequately address computerized systems in the broader sense.

The title evolution reflects this fundamental shift in focus. GAMP 4 was titled “GAMP Guide for Validation of Automated Systems,” while GAMP 5 became “A Risk-Based Approach to Compliant GxP Computerized Systems,” clearly indicating a broader scope encompassing all GxP computerized systems with emphasis on risk-based approaches.

Major Changes in GAMP 5 First Edition (2008)

1. Software Category Restructuring

The software categorization system underwent significant revision to better reflect modern software architectures and deployment patterns.

Category 1 transitioned from “Operating System” to “Infrastructure Software,” now encompassing operating systems, databases, and middleware. This broader definition recognizes the layered nature of modern IT infrastructure.

Category 2 (Firmware) was discontinued as a separate category. Modern firmware has become so sophisticated that distinguishing it as a separate category is no longer justified. Firmware can now fit into any of the remaining categories depending on the nature of the embedded software.

Category 3 evolved from “Standard Software” to “Non-configured Software” (also known as “Non-configured Products” or “Standard System Components”). This category includes software that cannot be configured, or configurable software used with factory default settings without any customization.

Category 4 changed from “Configurable Software Package” to “Configured Software” (or “Configured Components”). This encompasses software where parameters and functions are modified to align with specific business processes through configuration rather than coding.

Category 5 remains “Custom Software” (or “Custom Applications and Components”), unchanged from GAMP 4, covering software designed and coded specifically for particular business needs.

CategoryGAMP 4 (2001)GAMP 5 (2008)GAMP 5 Second Edition (2022)
1Operating SystemInfrastructure SoftwareInfrastructure Software, Tools, and IT Services
2FirmwareNo longer usedNot Used
3Standard SoftwareNon-configured SoftwareStandard System Components
4Configurable Software PackageConfigured SoftwareConfigured Components
5Custom SoftwareCustom SoftwareCustom Applications and Components

2. V-Model Transformation

GAMP 4 required similar validation approaches regardless of whether software was a commercial package or custom-developed. GAMP 5 introduced differentiated verification (testing) criteria for Categories 3, 4, and 5 within the V-Model framework.

Installation Qualification (IQ) was eliminated in GAMP 5, and the terms Operational Qualification (OQ) and Performance Qualification (PQ) were no longer prescribed, allowing each company to define these in their SOPs as appropriate. The industry commonly adopted alternative terminology such as “System Test” and “User Acceptance Test.” The GAMP 5 V-Model diagrams refer to these as “Functional Testing” and “Requirements Testing,” respectively.

For Category 4 systems, Configuration Verification was newly added to the V-Model. This presumably corresponds to verification activities such as reviewing and confirming defined and entered configuration values.

For Category 5 systems, Module Testing and Integration Testing were newly incorporated into the V-Model. In GAMP 4, these tests were positioned at the bottom of the V-Model as activities performed during software construction (i.e., during coding). Typically, suppliers would conduct these tests.

3. Enhanced Supplier Utilization

Previously, pharmaceutical companies often duplicated testing and other activities already performed by suppliers. Additionally, non-value-adding activities such as converting supplier-provided documentation into company-specific formats were common. There should be no inherent need for pharmaceutical companies to recreate documentation already produced by suppliers.

This approach was reconsidered to respect suppliers’ Quality Management Systems (QMS). Suppliers should maintain robust QMS, and their software manufacturing and testing activities should be conducted according to their own QMS. Consequently, supplier audits have become increasingly important and continue to be a critical component of modern validation strategies.

GAMP 5 Second Edition (2022): A Major Update

Background and Rationale

Fourteen years after the first edition, ISPE published the GAMP 5 Second Edition in July 2022. This was not designated as GAMP 6 because the fundamental structure and principles of GAMP 5 remained well-suited to the contemporary IT landscape and computerized system validation needs. The decision to publish a second edition rather than a completely new guide reflects the enduring validity of the risk-based framework while acknowledging the need to address significant technological advances since 2008.

Core Structure and New Emphases

The main body maintains its eight-chapter structure: Introduction, Key Concepts, Life Cycle Approach, Life Cycle Phases, Quality Risk Management, Regulated Company Activities, Supplier Activities, and Efficiency Improvements. However, Chapter 3 adds a new subsection on “Critical Thinking Through the Life Cycle,” and Chapter 8 includes a new subsection on “Using Tools and Automation,” along with various wording refinements throughout.

The Second Edition explicitly shifts focus toward patient safety, product quality, and critical thinking, moving away from a purely compliance-focused mindset. This represents a philosophical evolution from “avoiding audit findings” to “ensuring patient safety and product quality through appropriate risk management.”

Critical Thinking: A Fundamental Pillar

One of the most significant additions is Appendix M12 on Critical Thinking. This concept has become a fundamental pillar of the Second Edition and aligns directly with the FDA’s Computer Software Assurance (CSA) guidance published in September 2022 (finalized in September 2025). Critical thinking emphasizes the application of patient-centered, risk-based reasoning to software assurance activities, encouraging Subject Matter Experts (SMEs) to determine appropriate approaches rather than following prescriptive checklists.

Critical thinking means:

  • Focusing on what matters most: patient safety, product quality, and data integrity
  • Avoiding unnecessary documentation and testing that adds no value
  • Applying scientific and risk-based reasoning to validation decisions
  • Leveraging supplier information and automation tools effectively
  • Distinguishing between high-risk and low-risk features, functions, and operations

Support for Modern Development Methodologies

The Second Edition explicitly acknowledges and supports agile and iterative software development methodologies, which have become prevalent since 2008. It clarifies that the GAMP specification-and-verification approach is not inherently linear and fully supports incremental models and methods. This represents a significant departure from the traditional waterfall model assumptions of earlier guidance.

Key aspects include:

  • Integration of validation activities throughout sprint-based development cycles
  • Use of development tools and automated testing frameworks as part of the validation strategy
  • Acceptance of product backlogs and user stories as requirements documentation
  • Support for continuous integration/continuous deployment (CI/CD) practices
  • Recognition that audit trails and tool-generated records can serve as validation evidence

Appendix D8 specifically addresses Agile Software Development, providing explicit guidance on adapting GAMP principles to agile projects while maintaining appropriate control and traceability.

Transition from CSV to CSA

The Second Edition reflects and supports the industry’s transition from traditional Computer System Validation (CSV) to Computer Software Assurance (CSA). This paradigm shift, formalized by the FDA’s September 2022 draft guidance (finalized in September 2025), emphasizes:

Risk-Based Assurance Activities: Rather than prescriptive testing for all features, CSA recommends assurance activities commensurate with the risk to patient safety, product quality, and data integrity. High-risk features require rigorous scripted testing, while low-risk features may be assessed through unscripted testing, vendor assessments, or monitoring.

Leveraging Supplier Documentation: Companies should maximize the use of supplier testing documentation, quality certifications, and development lifecycle evidence rather than duplicating efforts. Thorough supplier assessments can reduce the need for redundant testing.

Focus on Intended Use: Each software feature, function, or operation should be evaluated based on its intended use within the production or quality system, with validation effort scaled accordingly.

Least Burdensome Approach: The CSA framework encourages companies to apply the least burdensome approach that provides adequate assurance, avoiding excessive documentation and testing that do not contribute to product quality or patient safety.

Emerging Technologies

The Second Edition addresses technologies that were nascent or non-existent in 2008:

Artificial Intelligence and Machine Learning (AI/ML): Appendix D11 provides guidance on validating adaptive systems, including considerations for model development lifecycle, training data selection, performance metrics, and continuous monitoring. This aligns with emerging regulatory expectations, including the EMA/PIC/S draft Annex 22 on AI in pharmaceutical manufacturing.

Blockchain and Distributed Ledger Technology: Appendix D10 discusses how immutable ledgers can be applied to supply chain traceability, data integrity, and secure information sharing in GxP environments.

Cloud Computing: Updated guidance addresses Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) models, with emphasis on service provider assessments, service level agreements, and data integrity controls.

Open Source Software (OSS): Recognition of the increasing use of open-source components in pharmaceutical systems, with guidance on managing associated risks and maintaining appropriate controls.

Updated and New Appendices

The Second Edition significantly expands the appendices with new topics and comprehensive updates:

Management Appendices: New M11 (Infrastructure) and M12 (Critical Thinking) provide guidance on modern infrastructure approaches and the application of critical thinking throughout the lifecycle.

Development Appendices: Several appendices were combined or retired. Appendix D1 now integrates User Requirements Specifications (URS) and Functional Requirements Specifications (FRS), recognizing that these may be maintained in management tools rather than static documents in agile environments. Appendix D3 on Testing emphasizes the CSA concept, distinguishing between scripted and unscripted testing based on risk.

Operations Appendices: Comprehensive updates reflect modern IT service management practices, clarifying distinctions between change management, problem management, and incident management.

Infrastructure Category Expansion

Category 1 (Infrastructure Software, Tools, and IT Services) has been expanded beyond traditional operating systems and databases to include:

  • Virtualization platforms and container technologies
  • Cloud infrastructure services
  • Office productivity tools
  • Network monitoring and security software
  • Development tools and integrated development environments
  • Data backup and recovery systems

This expansion recognizes that validation effort should focus on configured and custom applications rather than well-established infrastructure components with proven commercial pedigree.

Reflection on Implementation

While these represent significant changes in the guidance, many pharmaceutical companies had already begun implementing similar practices before the Second Edition’s publication. The pharmaceutical industry’s CSV practices had evolved organically to address practical challenges, and GAMP 5 Second Edition largely codified existing best practices while providing a modernized framework.

Application Across GxP Domains

GAMP 5 targets GxP computerized systems broadly, but the guidance historically emphasized Good Manufacturing Practice (GMP) applications. Extending GAMP 5 Second Edition to non-clinical research, clinical development, and post-marketing surveillance (R&D domains) still requires considerable effort to develop appropriate SOPs and validation strategies. These domains involve different risk profiles, data types, and regulatory expectations compared to manufacturing environments.

For R&D systems, considerations include:

  • Greater emphasis on data integrity and traceability over manufacturing controls
  • Different regulatory frameworks (GCP, GLP) with distinct requirements
  • More frequent system changes and updates during development phases
  • Balance between scientific innovation and compliance requirements
  • Integration with electronic submission requirements (eCTD, SDTM, ADaM)

Alignment with Regulatory Evolution

The evolution of GAMP 5 mirrors broader regulatory trends toward risk-based, patient-focused approaches:

FDA’s Computer Software Assurance Guidance (September 2022 draft, September 2025 final): This guidance, applicable to medical device manufacturers, promotes a risk-based approach to software used in production and quality systems. GAMP 5 Second Edition was developed in consultation with the FDA and fully aligns with CSA principles.

ICH Q9(R1) Quality Risk Management (November 2023): The revised ICH Q9 reinforces risk-based approaches and discourages excessive or inappropriate use of formal risk management tools. This aligns with GAMP 5’s emphasis on critical thinking and proportionate validation.

EU Annex 11 Computerized Systems: Although not revised since 2011, the principles in Annex 11 regarding risk-based validation, supplier assessments, and data integrity remain fully compatible with GAMP 5 Second Edition.

Data Integrity Guidance: Various regulatory agencies (FDA, MHRA, EMA) have issued data integrity guidance emphasizing ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, Available). GAMP 5 Second Edition explicitly incorporates data integrity by design throughout the lifecycle.

Future Directions

As we move forward, several trends are likely to continue shaping computerized system validation:

Increased Automation: Greater use of automated testing tools, robotic process automation, and AI-powered quality management systems will further reduce manual documentation burden while improving control and quality.

Continuous Validation: Real-time monitoring and analytics will enable continuous validation approaches, moving away from periodic revalidation cycles toward ongoing assurance.

Platform-Based Approaches: Standardized, pre-validated platforms will enable faster implementation of new capabilities through configuration rather than custom development.

Enhanced Supplier Collaboration: Deeper integration between regulated companies and suppliers, with shared responsibility for validation activities based on transparent QMS assessments.

Digital Maturity: As the industry achieves greater digital maturity, the focus will shift from validating individual systems to ensuring the integrity and security of integrated digital ecosystems.

Conclusion

The evolution from GAMP 4 through GAMP 5 First Edition to GAMP 5 Second Edition represents a journey from prescriptive, documentation-heavy validation toward risk-based, patient-focused assurance. While the fundamental principle—ensuring computerized systems are fit for intended use and maintain a validated state—remains constant, the methods for achieving this goal have matured significantly.

For organizations implementing GAMP 5 Second Edition, the key is not simply adopting new terminology or templates, but fundamentally embracing critical thinking, risk-based decision making, and a focus on what truly matters: patient safety, product quality, and data integrity. This requires investment in building organizational capability, training SMEs, establishing appropriate governance, and fostering a culture that values substance over documentation.

The pharmaceutical industry continues to learn and adapt. GAMP 5 Second Edition provides a robust framework for the current decade, but ongoing assessment and evolution will be necessary as technology and regulatory expectations continue to advance. The ISPE GAMP Community of Practice actively monitors developments and provides supplementary guidance, ensuring that the GAMP framework remains relevant and practical for years to come.

Ultimately, successful implementation of GAMP 5 principles requires balancing compliance obligations with innovation, efficiency with thoroughness, and standardization with flexibility. Companies that master this balance will be well-positioned to leverage technology effectively while maintaining the highest standards of quality and patient safety.

Outlook for Part 11 Revision: Historical Context and Current Status Previous post Challenges in Electronic Record Retention Requirements: Maintaining Authenticity During Long-term Preservation and System Migration Next post

Related post

Comment

There are no comment yet.