GAMP 5 update: computerized system expectations for pharma manufacturers
The International Society of Pharmaceutical Engineering’s GAMP® 5 guidelines steer validation practices for pharma companies to meet computerized system expectations. Members of the GAMP steering committees, Lorrie Schuessler, Charlie Wakeham and Stephen Ferrell, share the some of the key changes in the second edition update and how these should be interpreted by those working in pharmaceutical manufacturing.
Since 1991, GAMP® – a community of practice within the International Society for Pharmaceutical Engineering (ISPE) – has set the tone for the validation practices necessary for regulated pharmaceutical companies to meet the computerized system expectations of the US Food and Drug Administration (FDA), the European Medicines Agency (EMA), the World Health Organization (WHO), the Medicines and Healthcare Regulatory Agency (MHRA) in the UK, the Chinese National Medicinal Products Administration and other global regulatory bodies. Since their outset the GAMP guides have promoted using a balanced risk-based pragmatism to achieve compliance and the July 2022 release of GAMP 5 second edition strongly encourages the use of critical thinking to support that.
As ISPE GAMP 5 Second Edition notes in the preface “Operating in a highly regulated industry may lead practitioners to apply prescriptive and rigid compliance-based approaches that are not commensurate with and not effective in managing any actual risk to the product and the patient.” 1
The validation of computerized systems should be focused on ‘intended use’ and scaled commensurate with the risks to patient safety, product quality and data integrity”
The focus until now has too often been on compliance and not on quality. The industry approach to validation has in some cases been overly burdensome, despite the best effort of the GAMP Community of Practice, the US FDA and other regulators to reinforce through presentations and guidance that the validation of computerized systems should be focused on ‘intended use’ and scaled commensurate with the risks to patient safety, product quality and data integrity. Validation projects have often been documentation-focused exercises, more befitting a grammar exercise than artifacts supportive of regulated activity.
The original iteration of ISPE GAMP 5 was released in 2008 arriving in the nascent stages of what has become the cloud revolution and certainly before the widespread adoption of agile development methodologies, meaningful augmented reality, machine learning and artificial intelligence use cases in the life sciences industry.
Given the rapid acceptance of ‘as-a-service’ software models and significant outsourcing of previously in-house IT functions, there was a feeling that there was a need to assess and update the guidance.
Given the rapid acceptance of ‘as-a-service’ software models and significant outsourcing of previously in-house IT functions, there was a feeling that there was a need to assess and update the guidance. The original GAMP core principles are now applied more broadly by the Second Edition to allow contemporary and competent practitioners the freedom to employ innovative and evolving technologies without the previously assumed documentation burden.
While much software development now follows a more agile approach, changes – in the form of updates to the operating environment and software applications – are now frequent and essential to sustain data integrity and data security as well as operational efficiency. This required a paradigm shift from the previous ‘validate the system and keep it static and unchanged for as long as possible’ mindset to a dynamic and flexible approach to maintaining the system in a validated state of control throughout its operational life. Moving from ‘snapshot’-type qualification activities to real-time monitoring and control for the IT infrastructure supports this flexibility.
Key changes to GAMP 5
For the purposes of this discussion, we will focus on what we consider to be the most significant changes to GAMP 5 but we would encourage the reader to review the guidance in its entirety within the context of their regulated business activities. The GAMP 5 Second Edition includes:
- Six completely new appendices
- Significant updates to three of the original appendices
- Removal of a further three appendices.
This article primarily discusses Appendix D5 Testing of Computerized Systems and Appendix M12 Critical Thinking. Taken together these appendices provide the validation practitioner with broad contemporary thinking that can be applied to their day-to-day project activities.
Testing of Computerized Systems – Appendix D5
The validation of commercially available software applications has largely followed the GAMP V-model. While that model remains relevant from a planning and workflow perspective, ISPE GAMP 5 Second Edition is fully supportive of agile development and iterative testing methodologies and practices.
The GAMP 5 Second Edition guide emphasises that focus should be on value-adding activities rather than documentation for documentation’s sake.”
The GAMP 5 Second Edition guide emphasises that focus should be on value-adding activities rather than documentation for documentation’s sake. System information and test evidence still need to be captured but the format of the information captured can be flexible as long as it is attributable, protected against unauthorised changes and available when needed. There is also encouragement to use tools where possible to increase validation efficiency and defect detection.
For example, previous approaches to documenting the execution of a validation test case may have required the tester to initial and date each step. ISPE GAMP 5 Second Edition encourages critical thinking to reduce the instances of initials and dates while still ensuring that the identity of the individual or individuals performing any test is known, transparent, and easily attributable.
Another common and wasted effort used in the past was to write test cases which were then informally run to confirm the validity of the scripted instructions before running formally to provide supposed evidence of the system’s fitness for intended use; repeating the same test cases does nothing for defect detection and instead just contributes to that generation of documentation that so many have mistakenly believed is core to validation.
The revision of Appendix D5 also includes an expansion of the computer software assurance concepts from the ISPE GAMP® RDI Data Integrity by Design guide,2 Appendix S2 – Computer Software Assurance, in which the reader is encouraged to apply additional, non-traditional testing approaches, reflective of current software industry good testing practice, to challenge the system’s fitness for intended use. Ad hoc testing, error guessing, exploratory testing, and day-in-the-life testing are all introduced with the intention of increasing test coverage and rigour while simultaneously documenting less.
The use of contextualised functional risk assessments is also highlighted to allow the validation practitioner to scale their test cases commensurate with the assessed patient safety, product quality or data integrity risk that a particular requirement manifests.
The GAMP 5 Second Edition also provides a great deal of encouragement for regulated companies to leverage vendor documentation, stating “…testing may occur both in the vendor’s development life cycle and in the regulated company’s implementation life cycle”. This aligns well with newly-issued FDA draft guidance on Computer Software Assurance, which states: “Because the computer software assurance effort is risk-based, it follows a least-burdensome approach, where the burden of validation is no more than necessary to address the risk.”3
Critical Thinking in GAMP 5 – Appendix M12
The new critical thinking appendix M12 provides perhaps the clearest insight as to contemporary thinking within the GAMP Community of Practice, and states that, “…while GAMP 5 promotes a risk-based approach to ensuring fitness for intended use, some practitioners do not apply sufficient thought to ensure the approach they are taking is customised and proportionate to the needs of different systems”.
Critical thinking should not be reserved just for the testing stages within a validation project, nor should it be constrained to just the validation project. Consider critical thinking as a cradle to grave approach, for example:
- Realising efficiency and robustness gains during system planning by focusing on what the system must do based on a business process map, defining what stages of the data lifecycle it is supporting and avoiding the pointless verbiage that so often creeps into system requirements.
- Contextualising risk management, that is to say, that not every risk is fatal, and that often remedial strategies can successfully lower risk to levels that would be considered acceptable and as low as reasonably possible.
- Tailoring system training around the routine tasks of the different system user types, ensuring that each user type is given training centered on their tasks and responsibilities.
- Providing ‘how to’ videos and wikis available at the point of use for the system, rather than relying on distributing printouts of long and complex written standard operating procedures (SOPs).
The concept of using widely available requirements management tools is further reinforced in this appendix. Validation practitioners are encouraged to consider the value proposition of all activities particularly in validation preparation, execution and review.
GXP requirements and system attributes are kept in sharp focus, and only those requirements that have a defined patient safety, product quality or data integrity impact should be subject to risk remediation treatments.
Takeaways from ISPE’s GAMP 5 Second Edition update
In conclusion, there should be no doubt that ISPE GAMP 5 Second Edition is the written equivalent of a rousing quality sermon. Compliance is the minimum viable product, but it is quality that is the minimum lovable product and ultimate goal of the Second Edition.
Arbitrary comments, excessive evidence gathering, and non-focused testing are roundly rejected by ISPE GAMP 5 Second Edition.”
The chapter leads, the contributing authors, the countless peer reviewers and the regulators named and acknowledged in ISPE GAMP 5 Second Edition collectively affirm that the non-value-added processes, and outputs that have crept into our profession should have their necessity and providence thoroughly challenged. Arbitrary comments, excessive evidence gathering, and non-focused testing are roundly rejected by ISPE GAMP 5 Second Edition. The guide itself is utterly unambiguous, and all but the most determined will struggle to find multiple meanings within its chapters and appendices.
ISPE GAMP 5 Second Edition provides us with a clear concise pathway to drive our technology solutions in support of product quality and then subsequently maintain them in a validated state of control throughout their operational life. In this way, validation transforms from a perceived burden into a facilitator for the safe use of innovative technologies and processes.
- ISPE GAMP 5 Second Edition: A Risk-Based Approach to Compliant GxP Computerized Systems, ISPE, 2022.
- ISPE GAMP, RDI Good Practice Guide: Data Integrity by Design, ISPE, 2020.
- FDA, Computer Software Assurance for Production and Quality System Software – Draft Guidance. FDA, 2022.
About the authors