Guest Column | December 12, 2023

How Does The GAMP 5 Second Edition Update Look One Year Later?

By Sion Wyn, Conformity Ltd., and Heather Watson, TenTenTen Consulting Ltd.

GettyImages-1199243271 computer data

We recently marked one year since the publication of the Second Edition of the ISPE GAMP 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems, and we are taking this opportunity to pause and reflect. GAMP 5 is a widely used international guidance on GxP computerized systems validation and compliance. It is applied by regulated companies, suppliers, service providers, and regulators worldwide.

The First Edition was published in 2008, and as the 10th anniversary of its publication passed, it was time to consider whether an update was necessary. Surely, it was time to update the guidance to reflect technological progress in the intervening years. If so, which elements needed addressing, and equally importantly, which aspects were still relevant and up to date?

GAMP is close to both our hearts. Sion is a founding member of the GAMP Committee and is GAMP 5 editor, while Heather has served as the chair of the GAMP Global Steering Committee and recently assumed the role of chair of the GAMP Editorial Review Board. We felt privileged to co-lead, along with Chris Clark, the production of the Second Edition of GAMP 5.

GAMP documents are published by the International Society for Pharmaceutical Engineering (ISPE), which is a nonprofit association serving its members by leading scientific, technical, and regulatory advancement throughout the entire pharmaceutical life cycle. The ISPE GAMP Community of Practice (CoP) promotes the understanding of the regulation and use of computerized systems within the life sciences.

The GAMP Editorial Review Board carefully reviewed the GAMP 5 First Edition in the light of technological, regulatory, and industry changes, identifying areas and concepts that remain current and relevant, aspects that required updating to reflect current realities, and identifying new technical topics that needed to be addressed and where guidance was required.

Global Events Influenced GAMP 5 Second Edition Changes

We also considered societal changes and recent lessons learned. The global COVID-19 pandemic reminded us that innovation and technological advances are essential to safeguarding patient safety and public health, and that industry and regulatory flexibility is vital in meeting these key objectives. We hoped that GAMP 5 guidance could play a role in achieving this. The feedback at launch events and conferences worldwide has been extremely positive, with many participants welcoming the move toward a flexible, patient-focused approach, based on critical thinking, rather than focusing on compliance and inspections.

We have heard how the Second Edition has helped companies to be more comfortable and confident in adopting modern life cycle approaches, applying tools and automation, and in moving away from document-driven approaches toward knowledge management and defect prevention. Challenges facing us, however, include how best to explain and illustrate practical critical thinking, so that it can be more widely understood and applied.

The overall approach, framework, and key concepts remain unchanged from the First Edition. The technical content of the guide has been updated to reflect the increased importance of IT service providers including cloud service providers, evolving approaches to software development including incremental and iterative models and methods, and increased use of software tools and automation.

Guidance on the application of new and developing technological areas such as artificial intelligence and machine learning (AI/ML), blockchain, cloud computing, and open-source software (OSS) has been included or updated. The importance of critical thinking and the application of patient-centric, risk-based approaches (aimed at quality and safety) versus primarily compliance-driven approaches are further underlined. Concepts of computerized systems assurance as discussed as part of the U.S. FDA’s Center for Devices and Radiological Health (CDRH) Case for Quality program are also explored and applied.  Some key areas are explored below.

GAMP 5 Second Edition’s Life Cycle Approach

The Second Edition clarifies that the GAMP life cycle and specification and verification approach is not inherently linear; it also fully supports iterative and incremental (Agile) methods. New material outlines how critical thinking should be applied through the system’s life cycle.

The guidance explains how the life cycle phases apply in Agile situations as well as linear and encourages the maintenance of records and information in appropriate and effective software tools. The guidance also reflects the increased use of cloud-based applications.

IT Infrastructure In The Second Edition

A new appendix applies current risk-based thinking on good practice for managing infrastructure within a regulated company’s own facilities as well as those of external suppliers, such as cloud-based suppliers of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

The Second Edition’s Focus On Critical Thinking

A new appendix discusses the application of critical thinking to proactively optimize the approach taken to ensure quality and compliance of computerized systems (through better specification, development, testing, operation, and maintenance) within the context of the business processes they support.

Computerized Systems Testing

Guidance has been updated to emphasize:

  • Critical thinking should be applied when planning testing efforts. The regulated company should determine the type and level of assurance activities required, based on their own need to ensure systems are fit for intended use, commensurate to the risk acceptable within the organization as defined in its policies, procedures, and plans.
  • Testing by any means and in any part of the life cycle and in any environment (development, validation, production, DevOps, etc.) all contributes to finding defects and confirming the system is fit for intended use.
  • Testing should not be limited to detailed and prescriptive step-by-step scripted protocols. The use of exploratory testing and other unscripted techniques is encouraged to extend test coverage and improve defect detection.
  • Using automated testing brings benefits to test coverage, repeatability, and speed. Modern approaches may rely on records, information, and artifacts in automated tools in place of formal specification and test documentation.

Agile Software Development

A new appendix provides a brief summary of the principles underpinning Agile and illustrates how it can be implemented in a way that is aligned with GAMP 5 and GxP principles. The focus is on how to use well-implemented standard Agile processes to deliver software for GxP applications and does not advocate modifying Agile for GxP, for example, by superimposing duplicate and unnecessary linear (“V-model”) activities.

Artificial Intelligence And Machine Learning

A new appendix provides an overview on applying a controlled system life cycle to these technologies, and guidance on how to ensure compliance integration and fitness for use in a GxP environment.

Encouraging Innovation And Good Practice

One of the reasons GAMP guidance has always been successful is that it has reflected the current good IT and software engineering practice, based on input from experienced IT, automation, and software practitioners. We must always ensure that GAMP guidance is well aligned with current good technical practice.

We cannot provide guidance based on or supporting technical concepts, approaches, or techniques that are in some cases decades old, even if they do sometimes remain enshrined in regulatory guidance or company policies and procedures. We would never consider applying old-fashioned, superseded, and outdated medical science or medical practices, and the same should be true for IT and software systems!

We do, however, still see too many examples of ineffective and inefficient practices for reasons including organizational inertia, lack of experience and training, compliance-driven tick-box approaches, and a misguided fear of perceived regulatory inflexibility.

We need to consider how we can encourage practical and effective critical thinking to address these issues, find innovative ways to explain the concept further, and provide meaningful examples, case studies, additional guidance, and training on the topic.

GAMP 5 Second Edition prioritizes patient safety and product quality over compliance and encourages the application of critical thinking. It strongly supports the FDA Center for Drug Evaluation and Research’s (CDER’s) vision of a maximally efficient, agile, flexible manufacturing sector that reliably produces high-quality drug products without extensive regulatory oversight, where the vision requires moving beyond simply meeting minimum cGMP standards and toward robust quality management systems.

About the Authors:  

Sion Wyn, director, Conformity Ltd., is an expert in GxP computerized system validation and compliance, data integrity, and electronic records and signatures. He assisted the FDA as a consultant with its reexamination of 21 CFR Part 11 and was a member of the core team that produced the FDA Guidance on Part 11 Scope and Application. He received the FDA Group Recognition Award for work on Part 11. Wyn is the editor of ISPE GAMP 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems, co-lead of the ISPE GAMP Guide: Record and Data Integrity, and co-lead of the GAMP 5 Guide Second Edition. He is a member of the ISPE GAMP Global Steering Committee and GAMP Editorial Review Board.

Heather Watson is a director of TenTenTen Consulting Ltd. based in the U.K. and consults on computer system validation-related matters, including Inspection readiness. She has 30 years of experience in the pharmaceutical industry, which has included various roles at GSK. She has been involved with ISPE since 2001, is the immediate past chair of the GAMP Global Steering Committee, and is chair of the GAMP Editorial Review Board. She was co-lead of the ISPE GAMP 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems (Second Edition).