GAMP5 simply explained

The focus of GMP, Good Manufacturing Practice, is on the aspects of production and quality assurance.

GAMP 5, on the other hand, focuses on validating and managing computerized systems. The "A" in "GAMP 5" stands for "automated".

GAMP 5 plays a fundamental role in ensuring the reliability and integrity of automated systems in production in the pharmaceutical industry. To this end, GAMP 5 provides a structured framework for the process validation and maintenance of such solutions and helps to meet regulatory requirements and optimize operational processes.

Risk-based approach

The risk-based approach recognizes that not every system is equally risky in order to focus the use of process validation according to GAMP 5 on the critical areas.

Documentation and quality assurance

The principle of documentation and recording requires that all aspects of automated systems are thoroughly documented. This ensures that the necessary evidence can be provided to authorities at any time.

Change control

GAMP 5 focuses on effective change control procedures. This ensures that the integrity and compliance of automated systems are not compromised.

Lifecycle approach

The GAMP 5 lifecycle approach takes into account all phases that a system goes through. It ensures that systems are developed, implemented and maintained in a controlled manner. It also defines continuous monitoring and review.

Continuous improvement

GAMP 5 also supports continuous improvement in relation to process validation and the operation of computerized systems. This includes the review and updating of systems and processes. This ensures that changes relating to technologies and regulations, among other things, are taken into account.

Involvement of suppliers and service providers

Particularly with regard to the development and implementation of computer systems, GAMP 5 recognizes the importance of cooperation with suppliers and service providers.

Scalable process validation

In scalable validation, the effort and documentation are adapted to the complexity and risk of the system. Validation activities are carried out appropriately and efficiently.

Categorization of software

According to GAMP, software is categorized into different classes. The validation requirements are defined on this basis.

The GAMP 5 guideline categorizes software based on its risk profile and type of application in order to evaluate and validate computer systems accordingly.

The following five categories are distinguished:

Category 1: Infrastructure software

This category refers, for example, to operating systems, databases, network and other basic systems. They support applications but do not contain any user-defined logic. Examples are operating systems and database management systems.

Category 2: No longer used

Category 2 is obsolete and is no longer used under GAMP 5. It was part of GAMP 4 and included firmware or hard-coded systems and was used to classify hardware components where software cannot be changed.

Category 3: Standard software

Category 3 includes solutions that can be used without customization or configuration. These include Microsoft Word and Excel.

Category 4: Configured software

Configured software refers to systems that are configured by the user after installation. It can be adapted to specific requirements, but the source code does not have to be changed. Examples include laboratory information and management systems, LIMS and enterprise resource planning systems.

Category 5: User-defined software

Software is user-defined if it has been developed specifically for a particular application and contains customized code. Examples include software for controlling production machines.

According to GAMP 5, a computer system goes through the following main phases:

1. Concept phase: The basic requirements and purposes of the computer system are defined and an initial idea is developed as to how it should support the business objectives.
2. Project Planning: A project plan is now drawn up. It includes required activities, resources and timing for the development and implementation of the software.
3. Requirements Definition: The user requirements are now defined in a User Requirements Specification (URS). The URS serves as the basis for the design and validation of the computer system in accordance with GAMP 5.
4. Functional specification: A functional specification is created on the basis of the defined user requirements. It describes how the computer system should fulfill the previously defined requirements.
5. Design phase: In the design phase, the design of the software including technical specifications is defined. This involves the design of both the hardware and the software.
6. Build phase: The computer system is now developed according to the previously defined specifications.
7. Test and Qualification Phase: The system is tested with regard to installation, operation and performance qualification.
8. Implementation and Release: The system is now introduced and put into operation. Users are trained.
9. Operational phase: Operation starts. This is followed by monitoring and maintenance to ensure that the system continues to meet requirements. Change management and incident management are included.
10. Decommissioning/retirement phase: The last phase of the life cycle is the decommissioning of the system, it is taken out of operation. Planning and implementation of the decommissioning are included here. This ensures that there is no negative impact on other systems or data.

Computer system validation usually follows the V-model in a sequential, structured manner. The left-hand side of the "V" represents the specification (from the requirements definition to the detailed design). The right-hand side is responsible for verification and validation (from module to system acceptance testing).

The following steps are taken:

1. Requirements elicitation: in the course of requirements elicitation, the user requirements are created, the User Requirements Specification (URS). They define what the system must achieve in order to meet the company's requirements and the conditions.
2. Project initialization: The validation project is planned during project initialization. The validation plan and the project plan are created.
3. Risk assessment: During the risk assessment, the critical system aspects are identified and the points in which the process validation must be particularly intensive are determined.
4. Specification: The functional specifications are created on the basis of the URS. They define how the system can technically implement the requirements.
5. Selection and evaluation of suppliers: When selecting suppliers, their suitability is checked so that they meet the requirements for the intended system. The suppliers used are regularly scrutinized and evaluated.
6. Development and configuration: In this phase, the system is developed and configured as required.
7. Verification and testing: Now it is ensured that the system meets the specified requirements. To this end, installation, functional and performance qualification are carried out in sequence.
8. Reporting and release: Once verification has been completed, tests are carried out. If these are passed successfully, live operation can be initiated.
9. Training and implementation: Now the users are familiarized with the system and it is used in everyday life.
10. Operation and maintenance: During operation, regular checks are carried out to ensure that all mechanisms are fulfilling their purpose. If necessary, adjustments are made via change control.
11. Decommissioning: If a system is no longer to be used, it is deactivated according to a decommissioning plan.

GAMP 4 is the predecessor version to GAMP 5, in which user requirements were regarded as inputs for the validation process. They had to be detailed, specific and testable.

GAMP 5, on the other hand, considers user requirements as the result of a validation process. They can be more general, high-level and business-oriented.

The second edition is the current version of GAMP 5 and was published in July 2022. It is referred to as "GAMP 5 Second Edition" or GAMP 5 2nd edition and builds on the principles of the first edition.

The following changes have been made:

• The Second Edition supports iterative and incremental methods, whereas the first version had focused on linear methods.
• Critical thinking by experienced experts is increasingly required. Previously, the focus was on standardized approaches.
• New appendices are included, for example on the topics of blockchain, artificial intelligence and cloud computing.
• New guidelines supplement the work and take into account the increasing importance of software and automation.