ISPE GAMP® 5 Second Edition - Drivers, Updates and New Content

Introduction

Even prior to its introduction in 2008, GAMP, an ISPE trademark, had already been the de facto standard for the validation of computerized systems covering the entire life cycle for GxP-relevant areas in the pharmaceutical biotechnology and medical device industry. It is globally accepted throughout the industry and the regulatory authorities. Version 5, which was published in 2008, included all required principles and approaches to keep systems in a compliant state by demonstrating fitness for the intended use and to meet regulatory expectations. Therefore, GAMP 5 remained unchanged for more than 15 years and helped the pharmaceutical industry by providing a compliant and efficient approach to computerized system validation. The following principles and framework are still unchanged in the Second edition of GAMP 5: 

• The product and process understanding allows us to define requirements that are the basis for the evaluation that the system is fit for the intended use.

• A life cycle approach within a QMS ensures that the system has been built based on established procedures that are aligned with the company's quality management system and remains in its compliant state from conception to decommissioning.

• Scalable life cycle activities that take into consideration the intended use of the system, its novelty, its technical complexity, the outcome of the supplier assessment, and the impact the system may have on the business. Scalability also means that the amount of documentation and the broad and depth of validation activities can efficiently be reduced.

• A science-based quality risk management for the identification, assessment, control, communication, mitigation, and review of risks helps to focus the validation activities on the relevant system parts

• Leveraging supplier involvement to avoid duplication of effort in the validation of computerized systems and use the extensive knowledge of the software suppliers. It also allows the reuse of documentation.  

As these concepts remain unchanged, there was no need for GAMP 6, but to update the existing GAMP 5 Guide. GAMP® 5 Guide, 2nd Edition, aims to continue to protect data integrity, product quality, and patient safety by facilitating and encouraging the achievement of computerized systems that are effective, reliable, and of high quality.

However, several factors made it necessary to update GAMP 5 to the second edition so that it could continue to be the de facto standard for the years to come. The content of the guide has been updated to address:

• the increased importance of information technology (IT) service providers, including cloud service providers

• new approaches to software development, including incremental and iterative models and methods

• increased use of software tools and automation to oversee and control Information Technology and using records in tools instead of documents.

• new and impactful technologies like artificial intelligence and machine learning (AI/ML) or Blockchain

• Computer Software Assurance approaches for risk-based testing of software and systems 

Primarily compliance-driven approaches that establish formal compliance by creating extensive documentation through rigidly following a stringent process, are not suitable to address and mitigate the risks to patient safety, product quality, and data integrity, distract the focus from the essential, achievement and management of quality. The need for critical thinking, as outlined in the new appendix M12, and the application of patient-centric, risk-based approaches that aim at quality, efficacy, safety, and integrity has been reinforced.

Instead, the 2nd Edition strongly supports an efficient, agile, flexible medical device, pharmaceutical, and biotech industry that reliably produces high-quality drug products and moves beyond simply meeting minimum but acceptable compliance standards and evolves toward robust quality management systems.

Background and Drivers

To be of value to the industry, GAMP guidance must be well-aligned with current good practices and address today's technical concepts, possibilities, approaches, or techniques. However, Information Technology is a highly dynamic field, and in the past decade, several technological advancements and innovations have changed our way of working. 

These include, but are not limited to:

- Virtualization of Infrastructures (components)

- Significant outsourcing to Service providers (XaaS)

- Agile Software Development

- Computer Software Assurance

- Artificial intelligence/machine learning (AI/ML) and Blockchain

- Usage of tools to manage and record IT processes and data

Also, the concepts and principles of the ISPE GAMP Records and Data Integrity Guides that address the heightened regulatory focus on Data Integrity needed to be included in the GAMP guidance. 

In addition, as we are operating in a highly regulated industry, practitioners have applied prescriptive and rigid compliance-based approaches that were often not commensurate with the quality risk and were not effective in managing actual risk to the data, product and the patient. 

So, GAMP 5 Second Edition still aims to reflect current, good IT and software engineering practices accurately and is based on input from regulators, and experienced IT, automation, and software practitioners.

Overview of updated/new content

(1)The Role of Data Integrity and Critical Thinking

We all know of ineffective and inefficient practices that remain for reasons including:

- unwillingness to change 

- conflict of generations

- organizational lethargy

- fear of the audit

- lack of experience, qualification and training

- lack of effective business processes and technical SMEs

- overreliance on compliance-driven checklist approaches 

- fear of perceived regulatory inflexibility

Some organizations got comfortable by applying more or less mindlessly the same approach to all systems that are even remotely GxP-relevant. A lot of effort and resources got wasted by over-testing and over-documentation of low and medium-risk systems. While risk assessments were done, the outcome was often inconsequential as the same test approach and documentation approach was applied, regardless of the identified risks.

Consequently, computerized system validation degraded into an activity that just created extensive documentation for audits and inspections without much further value. Enormous templates and long checklists trying to anticipate every type of system and compliance aspects were created, managed, and completed for every type of system. Often costs of the validation effort were higher than all other implementation costs combined. This was, rightfully so, perceived as an unnecessary burden for the sake of establishing compliance and kept the industry from investing in new technologies.

GAMP 5 Second Edition prioritizes patient safety, product quality, and data integrity over formal compliance and encourages the application of critical thinking to proactively optimize the approach taken to ensure the quality and compliance of computerized systems. It should be applied to enable better design and development, adequate testing, and compliant operation and maintenance. Critical thinking should be applied in a holistic manner, including the business process, requirement gathering, specification, risk assessment of the computerized system and the subsequent determination of the testing approach.

(2)Iterative/agile approaches

Even though the First Edition of GAMP 5 already enabled iterative approaches, the GAMP® life cycle, specification, and verification approaches have typically been incorrectly perceived as inherently linear. The GAMP 5 Second Edition now explicitly supports scalable iterative/agile approaches through the entire system life cycle, providing guidance on how the life cycle phases apply to agile practices and methods and encouraging the maintenance of records and information in appropriate and effective software tools that typically support agile methodologies. A new development appendix provides a summary of the agile principles and illustrates how such agile principles can be implemented. It clearly states that modifying Agile for GxP, for example, by superimposing duplicate and unnecessary linear activities, is not recommended, but rather to embrace and use the standard agile processes and leveraging the created documentation and records. The records, information, and artifacts captured in automated tools may replace formal specification and test documentation if agile principles and methods are entirely and correctly implemented. The importance of testing, including exploratory testing and other unscripted techniques to find defects and confirm the computerized system is fit for intended use is highlighted.

(3)Software Tools

Iterative software development, as well as modern Infrastructure management and qualification, are dependent on software tools to manage projects and tasks, gather and record information, automate testing, deployment and distribution activities, and much more. 

Tools, that support IT processes are typically categorized as GAMP Software category 1 as they have no direct impact on product quality, patient safety, and data integrity. Such tools should be managed through the application of good IT practices and a risk assessment in combination with critical thinking and within a defined IT management framework. Typically, qualification activities that establish and maintain robust evidence that the tool is fit for purpose are sufficient.

GAMP 5 Second edition clearly states that “where sufficient detail and approvals are contained and available within a tool, there is no benefit to patient safety, product quality, and data integrity in manually creating separate documentation as audit evidence.”  

If an organization relies on the records within these tools for audits and inspections, this should be factored into the risk assessment and the qualification approach. Minimal controls would be Authorization Concept, reliable logging functionality, and a backup and restore procedure. Additionally, the installation (if possible) configuration(s) of the tool should be adequately specified (i.e. workflows/approvals).

(4)Blockchain

Blockchain, a decentralized system architecture combining cryptography, consensus, smart contracts, and replication, is one of the new technologies considered in GAMP 5 Second edition because it has been used in critical areas throughout the pharmaceutical and biotechnology industry. Blockchain technology, if implemented correctly, does provide a high degree of resilience against manipulation, and protects data integrity, while providing reliability and up-to-date data to the users. GAMP does not define the technology or discuss the appropriateness of the technology to meet business needs, it focuses on aspects for organizations to apply when relying on blockchains to support GxP processes. 

These aspects include:

• the need to understand data from a source of origin, source of truth, and ownership perspective 

• resulting in functional controls including:

•input controls 

•output controls 

•processing controls 

•access controls.

The appendix also addresses specific risks around decentralized applications built from several smart contracts and provides guidance for the retirement or migration of blockchain solutions. It provides specific criteria that can be used to select the appropriate blockchain solution and emphasizes the benefits of using established standards. 

Artificial Intelligence and Machine Learning

Even before AI applications like ChatGPT were released, GAMP was already addressing the relevant quality and validation aspects of artificial intelligence/machine learning systems that are used within computerized systems in a GxP context. 

It addresses questions like:

• How do I need to select the data used in the design of the solution for training and verification?

• What are the consequences of bias in the AI/ML solution, and how can I avoid introducing it?

• How do I keep an ever-changing AI/ML solution under change control?

• What are the life cycle considerations for an artificial intelligence solution that is constantly improved and developed further?

The data integrity aspects that were already included in the RDI GPG “Data Integrity by Design” were placed into a broader context in Appendix D11 “Artificial Intelligence and Machine Learning (AI/ML) of GAMP 5 Second Edition. It provides a lifecycle framework for these systems based on the GAMP 5 principles but addresses the specific nature and needs of these systems.

Criteria for data acquisition and selection are included as appropriate data sources with adequate privacy and controls; providing data in the correct structural format and appropriate segmentation are of key importance. The design and selection of the appropriate AI/ML model and how it is being trained with data are also covered in the appendix. Last but not least, the verification, acceptance, and release of the AI/ML solution and the necessary monitoring and continuous evaluation during the operation phase is explained in detail.

Computer Software Assurance

In September 2022 the FDA published a draft guidance on Computer Software Assurance (CSA). Even though the scope of the guidance is limited to software with an intended use related to medical devices, the ideas and principles of this guidance are valuable for computerized system validation in general. The CSA approach is fully aligned with the principles of GAMP, combined with critical thinking, and has been included in GAMP 5 Second Edition.

CSA aims to significantly reduce CSV documentation efforts by applying the risk-based approach and critical thinking to: 

• reducing the scope and type of the necessary testing

•support a scalable documentation approach that 

•demonstrates the level of assurance and control necessary for regulators and the industry

•ensures robust testing for functionalities that have a direct impact on the patient or the quality of the medical product used by the patient

•reduces the documentation effort that frees resources that should be reinvested in informal and ad-hoc testing, which improves the quality of the software product

This should reduce the validation burden for the industry, which has been identified as a cause for the slow adoption of innovative technologies.

CSA enhances and extends the guidance GAMP provides for a risk-based testing approach. The test documentation approach ranges from scripted testing to unscripted and Ad-hoc testing and is determined by:

• Identification of a direct or indirect GxP-related functionality

• Risk assessment focusing on intended use and Patient Safety

• Technical Implementation aspects (Out-of-the-Box, Configured or Custom System)

These assessments then lead to the following documentation approaches:

• Scripted testing with extensive step-by-step instruction, pass/fail information, and evidence for actual results for functionalities with high risks

• Unscripted testing that only provides the test objectives and pass/fail information for functionalities with medium risks

• Informal testing and ad-hoc testing with only the test duration recorded for functionalities with low risks

Obviously, all types of testing must record any defects or deviations.

However, applying CSA also comes with certain requirements and restrictions.

Applying critical thinking during the risk assessment is fundamental for informed decision-making and good judgment on where and how to apply and scale quality and compliance activities for computerized systems. You need to have significant experience and robust knowledge of the business process and an understanding of system functionalities' potential impact on patient safety, product quality, and data integrity. You need to document the reasoning behind the risk rating (Why is the risk high, medium, or low?). This cannot be achieved by mindless completion of checklists and forms. 

It requires subject matter expertise throughout the entire process, including the test execution. Only experts in the business process who are well-trained in the system functionality can perform unscripted or ad-hoc testing and assess the adequacy of the system functionality in support of the business process.  It is also highlighted that CSA can only be successful in a robust Quality Culture that promotes reporting and addressing of errors, bugs, and deviations.

The obvious benefits of the CSA approach are a higher test coverage with the same amount of resources, leading to better computerized systems that are demonstrably fit for the intended use. The development and execution of your scalable test documentation approach, in turn also results in an improved system knowledge.

Challenges and Opportunities

As the key principles have not changed from the first edition, GAMP 5 Second Edition is a reform and not a revolution. Still, organizations may still face significant challenges in implementing the updated or new approaches, even though they are often just a robust application of the risk-based approach. Especially in the area of software tools and applying CSA concepts validation practitioners may need to justify the application of the updated GAMP 5 guidance. 

So, quality organizations need to find answers to these questions:

1.Why can/should we do validation or documentation differently?

The efficiency gains outlined above should be a significant motivation for the (quality) management of the organization to adopt the new or updated approaches. But the benefits go far beyond efficiency gains. Quality organizations, often perceived as policing organizations that delay projects with overwhelming documentation needs, can now become enablers that truly focus on ensuring that the system is of sufficient quality. They can earn “a seat at the table” early in projects to determine and support the best and most efficient quality approach.

2.Will the regulators accept all of this, especially from local authorities?

GAMP 5 has been reviewed by representatives from several regulatory agencies, and their feedback has been incorporated before the release. As the key principles are still unchanged, the regulatory authorities should accept validation documentation that is based on these principles. Well-documented outcomes of critical thinking as part of risk assessment, testing and other validation activities will provide a robust basis for audits and inspections. 

3.How can we justify doing less when we have done more in the past?

Doing too much is as undesirable as doing not enough. Often an unjustified fear of potential non-acceptance by the regulatory authorities is the driver for overdocumentation. However, doing too much wastes resources and time and may delay the development or manufacturing of medical products that could make a positive impact on public health. Therefore, adjusting your methods and approaches towards more efficiency and/or higher quality is in the best interest of your organization, the regulators, and of the public. Continuous improvement does not mean we always do more; it should also mean that we do things differently and more efficiently whenever possible without impacting quality. But you may face fears and resistance when you are suggesting such a change. Therefore, when you need to change your processes, you need strong support from your management. Without that support (and reasons to support the changed approach are listed above), it is a difficult uphill battle. “We did not have any findings so far, so our QMS is fine!” may be an argument against any change. But this QMS might not be efficient, using too many resources and time. An updated and efficient QMS with more flexible and risk-based approaches could reference concepts in GAMP 5 Second Edition. However, the key for all procedural and system-related changes should be a robust and well-justified risk assessment(s). 

It may be advisable to try the updated approach in a pilot project to explore what specific benefits and risks are within your organization. The results of that pilot project could be discussed with applicable regulators or assessed by an external audit for an objective evaluation of compliance. Based on the results, the new approaches may then be modified and afterward applied to all projects going forward. 

4.How to enable critical thinking?

According to the ISPE GAMP Records and Data Integrity guide, critical thinking is: ”a systematic rational and disciplined process of evaluating information from various perspectives to yield a balanced and well-reasoned answer. Critical thinking allows the effective interpretation of data and situations while avoiding personal biases, assumptions, and other factors. The application of critical thinking skills allows the identification of gaps in data governance and processes and assists in challenging the effectiveness of behavioural, procedural, and technical controls in achieving data integrity.”

Critical thinking should be embedded and supported by the organization's quality culture. For example, the usage of templates should be seen as an aid memoir to ensure that relevant areas for a particular system are covered and not as a form or checklist that needs to be completed. Flexibility in the documentation approach may trigger out-of-the-box thinking and may lead to discovering additional hidden risks. Additionally, there are multiple tools and techniques that can support critical thinking, including business process mapping, data flow diagrams, or using techniques and methodologies out of software development like Planning Poker  during requirements gathering or risk assessments. All of these tools and methods have in common that they yield best results when done in diverse teams with business, IT, Quality, and other key stakeholders.

Conclusion

Some critics say that there is nothing new in GAMP 5 Second Edition, that critical thinking is just a buzzword, and that CSA is just an application of the risk-based approach that has always been there. But if it has been “always there”, why is the industry seeing validation as a significant burden that keeps them from introducing new technologies? 

As a matter of fact, the GAMP 5 Second Edition does not revolutionize the validation of computerized systems, but the Second Edition is also more than just a facelift. It provides up-to-date validation guidance for today's and in a way, even tomorrow’s technologies and methodologies and has further developed and refined established validation approaches for increased quality as well as efficiency. The emphasis on critical thinking in opposition to performing a static and compliance-focused quality approach further highlights the importance of proper and justified risk assessments based on robust and well-defined requirements that are derived from an in-depth process understating for determining the best validation approach. Therefore GAMP 5 Second Edition does address the technologies and the validation challenges of today and must be considered as the most comprehensive guidance document for the validation of computerized systems currently in existence globally.

Written by

Frank Henrichmann  

Co-author of GAMP®5 Second Edition and Current co-chair of the GAMP Global Steering Committee

Oliver Herrmann  

Contributor of GAMP®5 Second Edition and Member of the GAMP Global Steering Committee