GAMP5 – explained simply

Good Manufacturing Practice (GMP) focuses on production processes and quality assurance.

GAMP5, on the other hand, centers on validating and managing computer-based systems. The “A” in GAMP5 stands for automated.

GAMP5 plays a key role in ensuring the reliability and integrity of automated systems used in pharmaceutical production. It provides a structured framework for validating and maintaining such solutions – helping companies meet regulatory requirements while also streamlining their operations.

Risk-based approach

Not every system carries the same level of risk. The risk-based approach ensures that validation efforts under GAMP5 focus on the most critical areas.

Documentation and quality assurance

Every aspect of automated systems must be thoroughly documented. This creates reliable evidence that can be presented to authorities at any time.

Change control

Effective change control procedures are at the heart of GAMP5. They safeguard the integrity and compliance of automated systems when changes are introduced.

Lifecycle approach

From development to implementation and maintenance – the lifecycle approach ensures systems are managed in a controlled way. It also establishes continuous monitoring and review.

Continuous improvement

GAMP5 promotes ongoing improvement in the validation and operation of computer-based systems. Regular updates and reviews ensure that changes in technology and regulations are reflected.

Involvement of suppliers and service providers

Especially when it comes to developing and implementing computer systems, GAMP5 highlights the importance of close collaboration with suppliers and service providers.

Scalable validation

Validation activities and documentation are tailored to the complexity and risk of each system. This makes the validation process efficient and proportionate.

Software categorization

GAMP5 defines categories of software. These categories form the basis for determining the required level of validation.

The GAMP5 guide classifies software based on its risk profile and type of application. This makes it possible to assess computer systems and validate them accordingly. The following five categories are defined:

Category 1: Infrastructure software

This includes operating systems, databases, networks, and other foundational systems. They support applications but do not contain user-specific logic. Examples: operating systems and database management systems.

Category 2: No longer in use

This category is obsolete under GAMP5. It was part of GAMP4 and covered firmware or hard-coded systems used to classify hardware components where software could not be changed.

Category 3: Non-configurable software

Solutions that can be used without any customization or configuration fall into this category. Examples: Microsoft Word and Excel.

Category 4: Configurable software

These are systems that can be tailored to specific needs through configuration, without changing the source code. Examples: Laboratory Information Management Systems (LIMS) and Enterprise Resource Planning (ERP) solutions.

Category 5: Custom software

Software developed specifically for a particular use case, containing bespoke code. Examples: applications for controlling production machinery.

A computer system goes through the following main phases under GAMP5:

• Concept phase
  The basic requirements and purpose of the system are defined. An initial idea is developed of how it should support the organization’s business goals.
• Project planning
  A detailed project plan is created, covering required activities, resources, and timelines for software development and implementation.
• Requirements definition
  User requirements are captured in a User Requirements Specification (URS). This serves as the foundation for both system design and validation in line with GAMP5.
• Functional specification
  Based on the URS, a functional specification is prepared. It describes how the computer system will meet the defined requirements.
• Design phase
  The technical design of both hardware and software is defined, including detailed specifications.
• Build phase
  The computer system is developed in line with the agreed specifications.
• Test and qualification phase
  The system undergoes testing for installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ).
• Implementation and release
  The system is deployed and put into operation. Users receive training to ensure effective handling.
• Operational phase
  The system enters day-to-day use. Ongoing monitoring and maintenance ensure compliance and performance. This phase also includes change management and incident handling.
• Retirement phase
  In the final stage, the system is decommissioned. Planning and execution ensure that retirement has no negative impact on other systems or data.

Computer system validation typically follows the V-model – a structured, sequential approach. The left side of the “V” represents specification (from requirements definition to detailed design). The right side represents verification and validation (from module testing through to system acceptance testing).

The process usually involves the following steps:

1. Requirements gathering: During requirements gathering, the user requirements are created in the User Requirements Specification (URS). They define what the system must deliver to meet both business needs and regulatory requirements.

2. Project initiation: During project initiation, the validation project is planned. A validation plan and a project plan are created.

3. Risk assessment: During risk assessment, the critical system aspects are identified, which determines where validation must be particularly rigorous.

4. Specification: Based on the URS, the functional specifications are created. They define how the system can technically fulfill the requirements.

5. Supplier selection and assessment: When selecting suppliers, their suitability is checked to ensure they meet the requirements for the intended system. The chosen suppliers are regularly reviewed and assessed.

6. Development and configuration: In this phase, the system is developed and, where necessary, configured.

7. Verification and testing: It is now ensured that the system meets the specified requirements. For this purpose, installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) are carried out in sequence.

8. Reporting and release: Once verification is complete, tests are performed. If these are successfully passed, the system can be released for live operation.

9. Training and implementation: Users are trained to work with the system, and it is introduced into daily operations.

10. Operation and maintenance: During operation, regular checks are carried out to ensure all mechanisms achieve their purpose. If necessary, adjustments are made through change management.

11. Retirement: If a system is no longer to be used, it is decommissioned according to a retirement plan.

GAMP4 is the predecessor of GAMP5. In GAMP4, user requirements were regarded as inputs for the validation process. They had to be detailed, specific, and testable.

GAMP5, on the other hand, considers user requirements as the outcome of a validation process. They can be more general, high-level, and business-oriented.

The second edition is the current version of GAMP5 and was published in July 2022. It is referred to as GAMP5 Second Edition or GAMP5 2nd Edition and builds on the principles of the first edition.

The following changes were introduced:

• The Second Edition supports iterative and incremental methods, whereas the first edition focused on linear approaches.
• Critical thinking by experienced experts is emphasized more strongly. Previously, standardized approaches were the main focus.
• New appendices have been added, for example on blockchain, artificial intelligence, and cloud computing.
• New guidelines complement the work, reflecting the growing importance of software and automation.