Updates to Regulatory Guidelines - What's New in ISPE GAMP®5's 2nd Edition?
Updated: Sep 7, 2022
When I began my career in validation, I worked under the guidance and expertise of local and global validation experts. I was exposed to various laboratory systems, enterprise IT systems, scattered across the globe, varying in complexity and function. Back then, I didn’t directly rely on the guidance outlined in ISPE’s GAMP®4, as the company I worked for at the time had already integrated the guidelines and best practices from this document into a globally structured validation program, which was deployed and implemented through policies, standard operating procedures, and controlled templates. I fell in love with validation. I understood it well, and more importantly, I wanted to share it with others.
When GAMP®5, the 1st Edition was released in February 2008, I had no idea. I didn’t own a copy, nor was I a member of the ISPE global community. It was only later in my career did I get a chance to read GAMP®5, understand its importance, and use this document to sharpen my own skills as a professional consultant.
Fast forward 15 years later after its initial release, the 2nd Edition of GAMP®5 is now available. This article is tailored towards validation and quality professionals working in the GxP-regulated industry, who are interested in the evolution of this guidance document, and who would like to learn how this newly revised guide can help them with the computerized systems each of us are tasked to validate and maintain in a controlled state.
General Notes About GAMP®5 2nd Edition
First off, it is very important to note that GAMP®5 is not a regulation, and that following the ideas and guidance put forward in this document will not guarantee system compliance. I interpret this document as the minimum set of activities and actions that a GxP company should perform to increase their success factor when validating and managing a computerized system. Validation is really a practice of common sense and is not too complicated of an idea. Each company must create and maintain their own validation program, tailored for their own use, based on what the company does and what type of products and services they provide. A risk-based approach, a common term that is often misunderstood and misrepresented, simply means that validation is not meant to be applied to a system in broad strokes, but instead, used as a tool to identify where real focus of testing and documentation should be applied. Once a meaningful risk rating is applied to a part of a system that is being validated (or the whole system), based on risks to patient safety, product quality, and data integrity, the system can be validated based on this risk.
An advantage of implementing GAMP®5 in your company will be that in the GxP industry, common terminology is used and is understood. Most companies that I have worked for or with do not directly follow the guidance outlined in GAMP®5, but rather implement key concepts from the guidance into their existing processes and methodologies.
GAMP®5 Key Sections
Many sections of the new GAMP guide remain the same. The following sections are key sections that I refer to and reread often, and if one finds themselves limited in time, are sections that require special attention and should be well understood:
Section 2.2 – Key Terms
Section 3 – Life Cycle Approach
Section 6.2 – System-Specific Activities
Section 7.2 – Supplier Good Practices
Section 7.13 – System Support and Maintenance During Operations
Appendix M4 – Categories of Software and Hardware
Appendix M8 – Project Change and Configuration Management
GAMP®5 2nd Edition - What's New in This Version?
There is a lot of new content in the 2nd Edition, focusing on guidance surrounding new IT technologies such as cloud-based systems, artificial intelligence (AI)/machine learning (ML), newer software development methodologies, and a refocus on IT Infrastructure. The following sections have been added:
Appendix D8 – Agile
Appendix D9 – Software Tools
Appendix D10 – Distributed Ledger Systems (Blockchain)
Appendix D11 – Artificial Intelligence and Machine Learning (AI/ML)
Appendix M11 – IT Infrastructure
Appendix M12 – Critical Thinking
Although most sections have been updated, the following sections contains significant changes:
Appendix D1 – Specifying Requirements
Appendix S2 – Electronic Production Records
The following sections have been removed:
Appendix D2 – Functional Specifications
Appendix O7 – Repair Activity
Appendix S5 – Managing Quality within an Outsources IS/IT Environment
What's Missing From This Version?
Lack of Definition/Terminology Support
The new GAMP guidance is not perfect. One oversight, which the new guidance states is its prime directives in providing practical guidance on, is to ‘establish a common language and terminology’ used in the GxP sector. A shortcoming of this guidance is the lack of definition support for the basic terms ‘qualification’, ‘validation’, ‘off-the-shelf’, ‘good documentation practice (GDocP)’, and ‘computer software assurance (CSA)’ (see Appendix G2). The truth is that multiple definitions can be found for these terms from numerous regulatory sources (US FDA, Health Canada), and I personally feel that ISPE was just playing it safe by avoiding taking a stance to clarify some confusing terms that have existed in the industry for the past 25 years. The rationale provided in GAMP is that it aims to be flexible with terminology, is aligned with the US FDA, who they themselves have decided not to use certain terminology because of poor community comprehension and use. If only we had a guidance document to help explain all of this! (Don’t agree – read Section 184.108.40.206 – Terminology for yourself!) I understand that the GAMP guidance needs to be flexible, but I believe this to be an educational missed opportunity, especially as the new generation of GxP practitioners enter the workforce.
I would have liked to see a paragraph describing the historical use of these terms, from the qualification of analytical instruments to USP references, to the use of IQ/OQ/PQ terminology in different industries and countries, and the evolution of moving away from these terms, and finally, the recent transitioning of CSV to CSA.
It is also disappointing to learn that the new CSA methodology was named as such in a more roll-of-the-dice effort rather than leaning into the historical significance that GAMP and other well-received industry guides have provided over the years.
A Too Simplistic Approach in Section 220.127.116.11
Another section which provides a simplistic approach is Section 18.104.22.168 – Removal of Dead Code, which provides an excellent theoretical approach to coding and code maintenance but lacks a practical approach to maintaining code in this manner. Instead, a risk-based approach should be implemented and followed to find the right balance for each company and team of software developers.
Appendix D5 can be Misleading
Finally, in Appendix D5, the table describing Unscripted Testing vs. Scripted Testing can be misleading. Although the GAMP guide focuses primarily on the positive aspects of unscripted testing and the negative aspects of scripted testing, it does a poor job of identifying the negative aspects of unscripted testing. To be a great tester, the individual must have an in-depth knowledge of testing methodologies and practices and must also know the target system very well. This may reject junior and intermediate testers from generating or executing test cases/scripts and may require senior testers or validation staff to perform these duties. From a resource management perspective, this may not be the most efficient use of resources.
Ultimately, generating binders of documented evidence should not be the goal of validation, but rather select an approach that is right for the computerized system and right for your company.
The new GAMP Guidance is a must-read, must-own document whether you are beginning your validation career or are a seasoned practitioner.
It contains information that is fundamental to understanding computerized systems and the work required to validate and maintain such systems in a compliant manner. It does not replace any international or country-specific regulations or standards but does provide a baseline which assists users working in the GxP space. It also establishes a GxP baseline for companies operating in emerging markets and countries who are growing in the pharmaceutical and manufacturing space, and outlines GxP guidelines many other companies are following. The guideline is not perfect, but it’s the best we currently have, and we’ll discuss its strengths and weaknesses for years to come.
I hope that this article has assisted you in some way, and to quote Star Trek’s Spock,
‘Live Long… and Validate’.
Disclaimer: Yogesh Patel is a seasoned IT/Validation expert, working in the GxP sector since 2005. The opinions presented in this article are those of the author and the consulting firm InnovX Solutions, a company based in Montreal, Quebec, Canada.