November / December 2019

Why ISPE GAMP® Supports the FDA CDRH: Case for Quality Program

Sion Wyn
Christopher J. Reid
Chris Clark
Michael L. Rutherford
Heather D. Watson
Lorrie L. Vuolo-Schuessler
Arthur D. Perez, PhD
Why ISPE GAMP® Supports the FDA CDRH: Case for Quality Program

The US FDA Center for Devices and Radiological Health (CDRH) Case for Quality program promotes a risk-based, product quality–focused, and patient-centric approach to computerized systems. This approach encourages critical thinking based on product and process knowledge and quality risk management over prescriptive documentation-driven approaches.

ISPE GAMP® global leadership strongly supports this risk- and quality-based approach to the assurance of computerized systems and believes that current ISPE GAMP® guidance is already fully aligned and consistent with such an approach, including new guidance coming this year from the CDRH.

The FDA CDRH launched the Case for Quality program 1 following a review of data and feedback from both the FDA and industry stakeholders. The FDA’s analysis identified widespread or common manufacturing risks that impact product quality. One of the core program components is the Focus on Quality initiative. Although the FDA usually evaluates a manufacturer’s compliance with regulations governing design and production of devices, the Focus on Quality initiative goes beyond this by treating compliance attainment as the baseline and looking for the inclusion of critical-to-quality practic-es that result in higher-quality outcomes.

The program’s focus on computerized systems has increased in recent public statements related to the Case for Quality, and the CDRH has recently indicated their plan to release guidance on the topic of computer system assurance.

One element is a risk-based approach to computerized systems that focuses on product quality and patient safety. This approach encourages critical thinking based on product and process knowledge as well as quality risk management over prescriptive documentation-driven approaches. One of the prioritized medical device guidance documents that the FDA intends to publish in FY 2019 is a draft titled “Computer Software Assurance for Manufacturing, Operations, and Quality System Software” 2. These activities are of great industry significance and are aligned with the GAMP® risk-based approach as well as with ISPE’s broader patient-centric position and focus on cultural excellence.

An ISPE GAMP® concept paper is being developed to explore more fully the implications and opportunities in the field of computerized systems compliance and demonstrate how the GAMP® risk-based framework can fully support the objectives of the Case for Quality program.

ISPE GAMP® global leadership strongly supports the program’s value-based, patient-centric, and risk-based approach to the assurance of computerized systems and believes that current GAMP® guidance is already fully aligned and consistent with such an approach. GAMP® leadership believes that an understanding of the supported process and associated data flow is fundamental to determining system requirements. Product and process understanding is the basis for making science- and risk-based decisions to ensure that the system is fit for its intended use and that quality and data integrity–related requirements are met.

GAMP® leadership believes that such an approach is appropriate throughout the regulated life science industries, including pharmaceutical, biological, and medical devices, and throughout the complete product life cycle, regardless of the specific applicable predicate regulation. GAMP® strongly supports the adoption of new and innovative computerized technologies and approaches throughout the product life cycle to support product quality, patient safety, and public health.


As stated on the FDA’s website, “Top-quality medical devices help the FDA better protect and promote public health. And one of the top priorities for FDA’s medical devices center is a focus on quality” 1.

In a 2011 report on medical device quality, 3 the FDA described how an excessive focus on compliance may divert resources and management attention away from investments in quality and toward compliance activities like documentation, which do not directly lead to improved quality outcomes.

Industry focus was seen to be on meeting regulatory compliance requirements rather than adopting best quality practices. This trend was related to a low investment in automation and digital technologies, which could greatly assist in quality improvements and process control.

Implications for Computerized Systems

FDA CDRH has discussed the Case for Quality program implications, conclusions, and actions related to the use and assurance of computerized systems in various reports and presentations, which are summarized in various sources. 456

As stated by the FDA Commissioner, the FDA intends for the program to:

encourage device manufacturers to make investments to retool their manufacturing processes in ways that can facilitate manufacturing innovation, encourage investment in new production methods and materials, and lead to better medical products…such as through intelligent, automated processes that monitor and record manufacturing quality metrics, incorporating features and technological characteristics that can contribute to better options and higher quality that achieves their clinical purpose.7

One of the reasons manufacturers were not seeking quality improvements by adopting automation and new digital technologies was the perceived compliance burden and regulatory risk. The validation of computerized systems was seen as a barrier to the adoption of new technologies, with the cost of validation in some cases being reported as twice the cost of the basic system.

The FDA has observed that a compliance-centric approach has not only hampered innovation in manufacturing and product development practices, but also resulted in quality issues. As noted,4 the perceived regulatory burden has contributed to outdated compliance practices; to counter this, the FDA advocates critical thinking and risk-based Agile approaches rather than a focus on documentation or regulatory compliance.

Cisco Vicenty, FDA CDRH Case for Quality Program Manager, noted the FDA has suggested a move away from an approach primarily based on formal validation, verification, and documentation and a move toward approaches that meet needs and ensure system fitness for intended use, especially with regard to product quality and safety and quality system integrity.4 Low-risk systems require less effort for validation and documentation, and the selected approach should be the least burdensome possible. Supplier activities and information and other existing information should be leveraged wherever possible.

Vicenty emphasized that current regulations already allow such a value- and risk-based approach.4 The FDA will focus regulatory activity on inspection and review of systems that impact quality or safety. The FDA does not intend to focus regulatory resources on inspection and review of assurance activities related to systems with little or no direct impact on product quality and safety. The use of computerized system validation and other tools is also encouraged, and these will not be the focus of FDA inspection.

The approach described is based on clearly defining the intended use of the system and determining a risk-based approach based on the system’s impact on device safety and quality. Appropriate methods and activities can be selected, including leveraging existing activities and supplier data, automated tools and data capture, and use of Agile testing methods and unscripted testing as appropriate. The least burdensome approach of recording assurance activities should be applied, and any records produced should be of value to the organization.

GAMP® Support for the Case for Quality Approach

This section illustrates how current GAMP® guidance, including ISPE GAMP® 5 Guide: Compliant GxP Regulated Systems 8 and ISPE GAMP® Guide: Records & Data Integrity, 9 is fully aligned with and supports the FDA’s position. All information is from the GAMP® 5 Guide unless otherwise noted.

The main objective of GAMP® 5 is the effective achievement of patient safety, product quality, and data integrity. The guide applies a life-cycle approach based on intended use and product and process understanding. The application of quality risk management enables effort to be focused on critical aspects of a computerized system and risks to be effectively managed. Supplier activities and documentation should be leveraged wherever possible, and unnecessary duplication and unnecessary activities should be avoided. The key concepts underlying GAMP® 5 are shown in Figure 1.

GAMP® 5 notes the need to avoid duplication of activities (e.g., by fully integrating engineering and computer system activities so they are only performed once); to scale all life-cycle activities and associated documentation according to risk, complexity, and novelty; and to leverage supplier activities wherever possible.

GAMP® 5 also notes that most computerized systems are now based on configurable packages and acknowledges that traditional linear or waterfall development models are not the most appropriate in all cases. GAMP® 5 uses various diagrams to represent the system life cycle from the regulated company’s perspective. These diagrams often present relationships in a linear representation, which is reflective of the case for most standard systems and systems based on configurable packages. This use of linear representations is not intended to constrain the choice of software development methods and models. Suppliers or developers should use the most appropriate software development methods and models, which may include rapid-application development or prototyping techniques and incremental or iterative approaches, including Agile.

GAMP® 5 Key Concepts

GAMP® 5 does not advocate any specific or special software development models or methods. Instead, it encourages the application of current cross-industry software development best practices and tools within the context of an appropriate quality management system (QMS) to provide sufficient documentation and assurance (based on risk, and primarily through the use of effective supporting tools) of fitness for intended use, and to allow effective software maintenance throughout the life cycle.

GAMP® 5 guidance strongly supports the use of effective tools, technology, and systems to support and manage the GxP computerized systems life cycle. Appropriate tools reflecting current technology and good practice are always preferred to paper-based solutions. Such tools are considered part of the infrastructure and are not subject to validation. The use of normal IT good-practice approaches, such as ITIL,10 to the delivery management and support of systems, services, and infrastructure is strongly encouraged.

Testing approaches should focus on achieving systems that are fit for the intended use and focus on identification of defects. Achieving working effective software with as few defects as possible (and no critical defects impacting patient safety) is the main objective. Actual test content, strategy, and effectiveness are the priority, rather than production of documentation. A flexible approach to testing evidence based on risk, complexity, novelty, and the nature of the software function and intended use is encouraged. Records and information supporting the management and life cycle of GxP computerized systems should be of value to the regulated organization, and not maintained for the benefit of third parties.

Based on the nature of the components and the likelihood of defects and level of risk, GAMP® 5 advocates that effort should be concentrated as follows:

Custom > Configured > Nonconfigured > Infrastructure

Critical thinking should be applied to achieve effective and efficient approaches to the life cycle and management of computerized systems.9 The concepts of cultural excellence and maturity assessment are well embedded in GAMP® and ISPE in general.911, 12

Current Industry Challenges

GAMP® global leadership is aware that regulated companies continue to focus excessively on compliance and unnecessary computerized system validation activities and documentation, diverting resources and management attention away from investments in quality and toward compliance activities that do not directly lead to improved quality outcomes.

Examples of common problems include:

  • Risk assessments that are regarded as tick-the-box documentation exercises, rather than as truly driving life-cycle activities that identify required controls and provide valuable input to verification strategies
  • Supplier assessments that do not influence the life-cycle approach, do not truly assess supplier suitability or quality in any meaningful way, or do not add to the management of quality or lessen business risk to the customer
  • Application of GxP requirements, concepts, and documentation to technical areas where application of current best IT practices, including the use of tools and automation, would be more appropriate and effective and would improve quality
  • Overreliance on complex and prescriptive document templates rather than guidance on necessary and value-added content
  • Inappropriate and often unnecessary reviewers and approvers of documents
  • Unnecessary duplication between documents, and unnecessary complexity or content in documents, leading to increased compliance and quality risk
  • Lack of critical thinking driven by perceived and unwarranted fear of regulatory inflexibility

The root causes of these problems may include lack of appropriate subject matter expert input, lack of awareness of the distinction between quality risk and compliance risk, and intolerance of risk driven by a focus on internal compliance audits, coupled with a general misunderstanding and overinterpretation of regulations and guidance.


GAMP® strongly supports a pragmatic quality-focused approach as promoted by the Case for Quality program and advocates a risk-based approach to computerized systems that is focused on intended use as well as product quality and patient safety, as defined in current GAMP® guidance.

The objective of GAMP® guidance is the effective achievement of patient safety, product quality, and data integrity. GAMP® 5 applies a life-cycle approach based on intended use and product and process understanding, while the application of quality risk management enables effort to be focused on critical aspects of a computerized system.