Life Sciences Insights

Sharing expert knowledge via our latest blog posts

GAMP 5 Guide 2nd Edition: what’s new?

In 2022, ISPE released a new, second edition of the GAMP 5 guide. Read more about this new edition here and/or watch our webinar on demand.
New edition of the GAMP 5 guide ‘A Risk-Based Approach to compliant GxP Computerized Systems’ expected in 2022

GAMP 5, which stands for “Good Automated Manufacturing Processes”, is an approach that has been widely used in life science industries for validating computerized systems.

It has been 14 years since the ISPE published the first edition of the GAMP 5 guide “A Risk-Based Approach to compliant GxP Computerized Systems.” Despite the time that has passed since the publication of this guide, it has been the basis for the validation of many systems around the world.

In July 2022, the GAMP 5 guide’s 2nd edition was released, with updates reflecting the significant changes in information technologies since the previous edition in 2008.

With the fast-evolving technology landscape, it is important for life science industries to adapt their business strategies to ensure compliance with the latest standards. In this blog post, we look in detail at what’s changed in GAMP 5 Guide 2nd Edition.

FREE WEBINAR: GAMP 5 2nd Edition

Watch our GAMP 5 2nd edition webinar on demand. We will tell you all about the new, second edition of GAMP 5.

GAMP 5 Guide: 2nd Edition – What’s new?

Compared to the static recommendations of the original 2008 edition, the 2nd edition of GAMP 5 released in 2022 reflects the significant advancements in technology, such as cloud-based solutions and artificial intelligence. 

As a result, linear step-by-step methods like the V-model have become outdated, and Agile models are now preferred for their interactive collaboration between customers and validation suppliers. This allows for adaptation to new discoveries and changing needs throughout the project. 

Below, we will take a closer look at the changes recommended in the GAMP 5 Guide 2nd edition (2022), including those in the Management (M), Development (D), Operations (O), and Special Interest (S) appendices.

M11 – IT INFRASTRUCTURE (NEW)

To facilitate more efficient implementation of changes with minor risk, guidelines suggest that QA shall have less involvement in such changes, bypassing formal change control procedures. A formal agreement listing the minor changes is made between QA and IT. 

For example, on February 2nd of this year, Microsoft Edge (Version 109.0.1518.78) released security updates.

M12 – CRITICAL THINKING (NEW)

This common sense-based approach insists on avoiding excessive compliance with non-necessary procedures. Being rational in designing and mapping processes is sufficient to meet proportional needs.

The best example of this new way of thinking is the transition from Computer Software Validation to Computer Software Assurance (CSA) that has been underway for several years.

After the ISPE published their GAMP5 2nd edition guide in July, the FDA officially released the draft guidance document ‘Computer Software Assurance for Production and Quality System Software’ in September 2022. The way of validation with such a CSA approach is risk-based and efficiency-driven.

The goal is to minimize the time wasted in standard CSV procedures such as looking for errors in the implementation of protocols or other documentation writings by testers and now focus on the value-added tasks, that is, actually checking the functionalities: does the system work as expected?

D1 – SPECIFYING REQUIREMENTS (SIGNIFICANT UPDATE)

In the 2008 edition of GAMP, User Requirements Specifications (URS) and Functional Requirements Specifications (FRS) were separated and treated in different appendices. In the new edition, both specifications are managed in an Agile way.

With the rigid, “old-fashioned” V-model methodology, requirements and subsequent process steps (including deliverables) are defined in advance in the very first Project and Validation Plan, leaving no room for unexpected occurrences from start to completion. For more details, see our blog post concerning CSV validation according to the V-model).

In contrast, the Agile approach is discovery-oriented, allowing more flexibility and independence in each step of the process (each step has its own design/build/test cycles).

However, the project is still designed according to the requirements category, priority, and criticality for patient safety. For more information, see paragraph D8 – AGILE SOFTWARE DEVELOPMENT.

D5 – TESTING OF COMPUTERIZED SYSTEMS (SIGNIFICANT UPDATE)

The new edition emphasizes avoiding over-documentation, such as excessive screenshots for each function. Moreover, GAMP 5 2nd edition aims to increase confidence in vendor packages that have already been validated by them according to their own GxP requirements.

In short, the main message is: test and document what is needed to add value. Use critical thinking. as we explained above in M12 – CRITICAL THINKING (NEW) and D1 – SPECIFIC REQUIREMENTS (ADDED UPDATE) regarding Computer Software Assurance and Agile model.

Some risks are considered minor because they do not directly affect the product and patient safety. But because they affect the quality system more generally, they should still be tested. 

In this case, the second edition of GAMP5 recommends performing Unscripted testing. Unlike traditional scripted testing, there is no need to document a detailed step-by-step procedure: the focus remains on the pass/fail objective.

D8 – AGILE SOFTWARE DEVELOPMENT (NEW)

Suppose you want to use a particular software for development/validation activities. Since this software itself is designed according to an Agile model, you will receive regular updates from the vendor.  

Well, it is with exactly the same mindset that GAMP5 2nd edition tells you to tackle your validation project. However, software lifecycle deliverables resulting from the Agile model cannot be approved according to 21 CFR Part 11: other ways are used for traceability, such as e-mail and audit trails. See our QbD blog post 21 CFR Part 11 compliance checklist.

D9 – SOFTWARE TOOLS (NEW)

Tools that are not directly part of a GXP-regulated process do not need to be CSV validated themselves (e.g., Microsoft Word). Although they might be used in system validation lifecycles or IT procedures, IT good practices and risk assessment shall be enough.

D10 – DISTRIBUTED LEDGER SYSTEMS (BLOCKCHAIN) (NEW)

Blockchain technology is still in its infancy, but has great potential for data integrity and tracking in GxP environments throughout the product lifecycle. This innovation will certainly be an important part of new Agile models. For more on this potential of new technologies, see our QbD blog post ‘What is digital health?‘.

D11 – ARTIFICIAL INTELLIGENCE (AI) AND MACHINE LEARNING (ML) (NEW)

The novelty of artificial intelligence (AI) and machine learning (ML) does not prevent systems from being validated. Model validation here relies on the description of the AI and ML algorithm as well as the use case and key performance indicators as technical specifications. QbD’s core digital health team has created a blog post on this: The Advent of Artificial Intelligence and Machine Learning in Medical Devices.

Embracing information technology, big data, AI and machine learning to collect, share, analyse and use data on patient outcomes to help healthcare professionals make informed decisions and to improve care (by improving efficiency of use alongside safety and security of all data).

S2 – ELECTRONIC PRODUCTION RECORDS (SIGNIFICANT UPDATE)

The new technologies described above produce a significant amount of data that must be monitored with audit trails. The second edition of GAMP5 recommends establishing recovery point objectives (RPO: frequency of backups) and recovery time objectives (RTO: interval between system failure and recovery) based on risk assessments of systems.

RETIRED APPENDICES

  • D2 – Functional Specifications is retired. Its content is incorporated into D1 Specifying Requirements.
  • O7 – Repair Activity is retired. Requirements for repair activities are in O6 – Operational Change and Configuration Management.
  • S5 – Managing Quality within an Outsourced IS/IT Environments is retired. Its content is in M11 – IT Infrastructure.

GAMP 5 Guide 2nd edition: conclusion

In this blog post, we saw how the recommendations of the GAMP 5 guide 2nd edition have been adapted to new technologies (AI, ML, cloud software, blockchain, etc.).

To stay competitive in their business, life sciences companies need to keep pace with the changes brought by market intelligence tools: the two main ideas are Critical Thinking and the Agile model.

Do you want to implement GAMP5 2nd edition’s recommendations within your processes? Our experts are happy to help!

Please don’t hesitate to contact us.

FREE WEBINAR: GAMP 5 2nd Edition

Watch our GAMP 5 2nd edition webinar on demand. We will tell you all about the new, second edition of GAMP 5.

Related articles

Did you find this article interesting? Thanks for sharing it with your network:

Subscribe to the Blog
Here you will find interesting articles and news related to your industry.

Table of Contents

Stay up to date with the latest insights in life sciences

Come visit our booth at CPHI Barcelona 2023

Come to see the QbD Group at stand #3G73 at CPHI Conference in Barcelona. And after the conference…Eat & Connect with lifescience professionals at our QbD’s CPHI Networking Drink.