The new GAMP 5 guidelines were released in February 2008 at the ISPE Manufacturing Excellence Conference in Tampa, Florida. GAMP wants to make it clear that GAMP 5 is “not a prescriptive method or standard, but rather provides pragmatic guidance, approaches and tools for the practitioner”. This means that companies should use these guidelines along with other guidelines and industry best practice to determine the best approach for validating GxP computerized systems.

There are five key concepts to GAMP 5:

• Product and Process Understanding.
• Lifecycle approach within QMS.
• Scalable Lifecycle Activities.
• Science Based Quality Risk Management.
• Leveraging Supplier Involvement.

Product and Process Understanding

Understanding the product and process is critical in determining system requirements and for making science and risk-based decisions to ensure that the system is “fit for use.” In determining “fit for use,” attention should be focused on “those aspects that are critical to patient safety, product quality, and data integrity.”

Product and process knowledge is also important in other phases of the computerized software lifecycle including the “operation” phase. Here it is important to have knowledge of the product and process to determine if changes to the system or failures of the system could affect patient safety, product quality, or data integrity.

Lifecycle Approach within a QMS

Defining a lifecycle approach to a computerized system has been expanded from GAMP 4 to include all phases and activities from concept and implementation through operation and retirement. These activities should be defined within the quality management system (QMS). This allows for a consistent approach across all systems.

There are four major phases defined for any system:

• Concept.
• Project.
• Operation.
• Retirement.

GAMP recognizes that suppliers can be valuable in assisting the companies in any or all phases of the lifecycle.

Scalable Lifecycle Activities

Within the GAMP 5 guidelines GAMP outlines that lifecycle activities should be scaled according to:

• System impact on patient safety, product quality, and data integrity (Risk Assessment).
• System complexity and novelty.
• Outcome of supplier assessment.

There may be other factors that companies may want to consider when making assessments, but this process should be documented and follow established policies and procedures. By conducting this assessment companies can scale their validation effort and other lifecycle activities to the appropriate levels.

Because of the use of a “scaled” approach, GAMP has reassessed their V-model and has “generalized” the model to account for other possible approaches.

This model can be expanded or even reduced depending on the scale or scope of the system being validated. GAMP gives three practical examples of the V-model in their guidelines.

Science Based Quality Risk Management

Science Based Quality Risk Management allows companies to focus on critical aspects of the computerized system and develop controls to mitigate those risks. This is where a clear understanding of the product and process is critical to determine potential risks to patient safety, product quality, and data integrity.

GAMP 5 describes and talks about a five step process for risk management based on ICH Guidelines.

They acknowledge that this is not the only approach and that each company needs to decide what approach best works for its intended use.

Risks that have been identified can be mitigated by:

• Elimination by design.
• Reduction to suitable level.
• Verification to demonstrate that the risks are managed to an acceptable level.

Leveraging Supplier Involvement

Regulated companies regularly involve suppliers throughout the system lifecycle. Suppliers have the knowledge, experience, and documentation to assist companies throughout the system’s lifecycle.

"GAMP 5 suggests regulated companies need to maximize that involvement to determine how best to use supplier documentation, including existing test documentation, to avoid wasteful effort and duplication. Documentation should be assessed for suitability, accuracy, and completeness. There should be flexibility regarding acceptable format, structure and documentation practices”.