January / February 2023

What You Need to Know About GAMP® 5 Guide, 2nd Edition

Sion Wyn
Chris Clark
What You Need to Know About GAMP® 5 Guide, 2nd Edition

ISPE’s GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems (Second Edition) (GAMP® 5 Guide, 2nd Edition) maintains the principles and framework of the first edition and updates their application in the modern world, including the increased importance of service providers, evolving approaches to software development, and expanded use of software tools and automation. The 2nd Edition highlights the use of critical thinking by knowledgeable and experienced subject matter experts (SMEs) to define appropriate approaches.

Since the publication of the first edition, GAMP® 5 has been far and away the leading international guidance on GxP computerized systems validation and compliance. It was time for ISPE to update this key guidance document to reflect technological progress.

GAMP® 5 Guide, 2nd Edition, aims to continue to protect patient safety, product quality, and data integrity by facilitating and encouraging the achievement of computerized systems that are effective, reliable, and of high quality.

The overall approach, framework, and key concepts remain unchanged from the first edition. The technical content of the guide has been updated to reflect the increased importance of information technology (IT) service providers including cloud service providers, evolving approaches to software development including incremental and iterative models and methods, and increased use of software tools and automation.

Guidance on the application of new and developing technological areas such as artificial intelligence and machine learning (AI/ML), blockchain, cloud computing, and open-source software (OSS) has been included or updated. The importance of critical thinking and the application of patient-centric, risk-based approaches (aimed at quality and safety) versus primarily compliance-driven approaches is further underlined. Concepts of computerized software assurance (CSA) as discussed in the US FDA Center for Devices and Radiological Health (CDRH) Case for Quality program1 are also explored and applied.

Background and Drivers

One of the reasons GAMP guidance has always been successful is that it has always sought to accurately reflect current, good IT and software engineering practices, based on input from experienced IT, automation, and software practitioners. To be of optimal value to the industry, GAMP guidance must be well-aligned with current good practice. GAMP should not provide guidance based on outdated technical concepts, approaches, or techniques, even if such concepts, in some cases, remain in regulatory guidance or company policies and procedures.

In the same way that it would be considered unacceptable by the public and the health authorities for regulated organizations to apply old-fashioned, superseded, and outdated medical science or medical practices, it would be unacceptable for such organizations to apply outdated IT and software practices, as this would be inefficient, ineffective, and ultimately extremely detrimental to public health.

As clearly stated by the US Food and Drug Administration (FDA):2

“The CGMP requirements were established to be flexible in order to allow each manufacturer to decide individually how to best implement the necessary controls by using scientifically sound design, processing methods, and testing procedures. The flexibility in these regulations allows companies to use modern technologies and innovative approaches to achieve higher quality through continual improvement. Accordingly, the ‘C’ in CGMP stands for ‘current,’ requiring companies to use technologies and systems that are up-to-date in order to comply with the regulations. Systems and equipment that may have been ‘top-of-the-line’ to prevent contamination, mix-ups, and errors 10 or 20 years ago may be less than adequate by today’s standards.

“It is important to note that CGMPs are minimum requirements. Many pharmaceutical manufacturers are already implementing comprehensive, modern quality systems and risk management approaches that exceed these minimum standards.”

In the same way, we also need to apply software development methods and techniques that are adequate by today’s standards. However, too many examples of ineffective and inefficient practices remain for reasons including organizational inertia, lack of experience and training, a shortage of effective business process and technical SMEs, overreliance on compliance-driven tick-box approaches, and a misguided fear of perceived regulatory inflexibility.

Framework and Overall Approach

GAMP® 5 Guide, 2nd Edition, prioritizes patient safety and product quality over compliance and encourages the application of critical thinking. The 2nd Edition strongly supports the FDA Center for Drug Evaluation and Research (CDER) vision of a maximally efficient, agile, flexible manufacturing sector that reliably produces high-quality drug products without extensive regulatory oversight, where the vision requires moving beyond simply meeting minimum CGMP standards and toward robust quality management systems.3

The overall GAMP 5 framework, key concepts, and International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) Q9 aligned quality risk management (QRM) approach remain unchanged from the first edition. The technical content of the guide has been updated to reflect the increased importance of IT service providers including cloud service providers, evolving approaches to software development including incremental and iterative models and methods, and increased use of software tools and automation. The 2nd Edition builds on the work of the ISPE GAMP® Good Practice Guide: Enabling Innovation.4

The 2nd Edition further emphasizes that the GAMP® life cycle, specification, and verification approach is not inherently linear, and that it also fully supports iterative and incremental (Agile) methods. The guide describes how critical thinking should be applied through the system life cycle, explaining how the life cycle phases apply in Agile situations as well as linear, and encourages the maintenance of records and information in appropriate and effective software tools. The increased use of cloud-based applications is also reflected. As part of the ICH Q9 aligned QRM approach, new guidance on process risk assessment has been added.

Updated and New Appendices

Guidance on the application of new and developing technological areas such as AI/ML and blockchain has been included. The concepts of CSA related to US FDA CDRH Case for Quality program are also explored and applied where relevant.

Figure 1

Figure 2

Management Appendices

Highlights of updates and new material in the management appendices include:

  • Addressing the validation planning and reporting of software as a service (SaaS) solutions and systems developed or configured in an incremental or iterative manner (Agile)
  • Addressing assessment of cloud service providers, and the use of cloud platforms and applications, which move some risk management activities outside the regulated company
  • Categories updated to reflect that:
    • Computerized systems are generally made up of a combination of components from different categories, and that categories 3-5 should be viewed as a continuum
    • The software category is just one factor in a risk-based approach; the life-cycle activities should be scaled based on the overall GxP impact, complexity, and novelty of the system (derived from the criticality of the business process supported by the system) and the nature of the components and technology involved
  • Encouraging automated and tool-based reviews and verification, and automated traceability rather than manual traceability approaches
  • Discussing Agile toolsets to manage requirement changes, artifacts/deliverables, and for DevOps and continuous integration/deployment
  • Reflecting evolving approaches to information management, moving from traditional paper formats to searchable tool-based information life cycles. Ac-knowledging implicit as well as explicit knowledge
  • Reemphasizing that records and information are maintained because they are valuable to the regulated company as their source of truth, and not necessarily for demonstrating to a third party
  • New appendix applying current risk-based thinking on good practice for managing infrastructure that resides within a regulated company’s own facilities as well as those of external suppliers, such as cloud-based suppliers of infrastructure as a service (IaaS), platform as a service (PaaS), and SaaS
  • New appendix discussing the application of critical thinking to proactively optimize the approach taken to ensure quality and compliance of computerized systems (through better specification, development, testing, operation, and maintenance) within the context of the business processes they support.

Development Appendices

Highlights of updates and new material in the development appendices include:

  • Updated guidance on requirement and specifications, taking into account Agile development methods and the increased use of tools and automation in the capture and definition of requirements
  • Testing guidance updated to emphasize that:
    • Critical thinking should be applied when planning testing efforts: the regulated company should determine the type and level of assurance activities required, based on their own need to ensure systems are fit for intended use, commensurate to the risk acceptable within the organization as defined in its policies, procedures, and plans
    • Testing by any means and in any part of the life cycle and in any environment (development, validation, production, DevOps, etc.) all contributes to finding defects and confirming the system is fit for intended use
    • Testing should not be limited to detailed and prescriptive step-by-step scripted protocols—the use of exploratory testing and other unscripted techniques is encouraged to extend test coverage and improve defect detection
    • Using automated testing brings benefits to test coverage, repeatability, and speed
    • Modern approaches may rely on records, information, and artifacts in automated tools in place of formal specification and test documentation
  • New appendix provides a summary of the principles underpinning Agile and illustrates how it can be implemented in a way that is aligned with GAMP® 5 and GxP principles; the focus is on how to use well-implemented standard Agile processes to deliver software for GxP applications and does not advocate modifying Agile for GxP, for example, by superimposing duplicate and unnecessary linear (“V-model”) activities
  • New appendix describing the recommended risk-based approach and considerations when using tools supporting computerized systems life-cycle processes, IT processes, and IT infrastructure processes; such tools do not directly support GxP-regulated business processes or maintain GxP records and data directly supporting the regulated product life cycle
  • New appendix on blockchain aiming to assist in ensuring that the usage of computerized systems applying this technology does not introduce new risks to patient safety, product quality, and data integrity
  • New appendix on AI/ML, providing a basic understanding of these technologies, and guidance on how to ensure compliance integration and fitness for use in a GxP environment

Operation Appendices

Highlights of updates and new material in the operation appendices include:

  • Updated process flow and expanded definition of handover activities, recognizes use of support tools, and including discussion of hypercare and business readiness
  • Expanded consideration of service-level agreements (SLAs), which recognizes other aligned agreements such as quality agreements; includes consideration of contract exit
  • Addressing the use of modern monitoring technologies
  • Further clarification of the relationship between incident management, problem management, and deviation management
  • Highlighting the use of IT service management tools in incident and problem management
  • Enhanced description of relationship between regulated company, IT, and external service provider’s change processes
  • Utilizing metrics and trends to determine fitness for intended use
  • Clarification of business continuity and disaster recovery processes and their relationship, and establishing a link to incident and problem management; include considerations for anything as a service (XaaS)
  • Include considerations of current data IT security practices aligned with industry standards such as ISO 27001 and National Institute of Standards and Technology (NIST)

Special Interest Appendices

Highlights of updates and new material in the Special Interest Appendices include:

  • Consideration of cloud computing technologies and blockchain technology included for electronic production records (EPR)
  • Additional material on real-time generation of reports for review by exception (RBE) and other functionality from EPR
  • Clarification on data audit trails and data audit trail review for manufacturing systems
  • Additional data integrity considerations for end-user applications including spreadsheets and more detailed risk-based decision recommendations


GAMP® 5 Guide, 2nd Edition, seeks to meet and exceed minimum compliance expectations by encouraging the application of modern, current, good IT practices; robust QRM approaches; and excellence in software engineering to achieve better product quality and safety for the benefit of the patient and the public.

Learn More & Buy