GAMP-5 guidance, the related “V model” and the different software categories used to simplify the validation activities are nowadays considered the internationally recognised best approach for computer system validation. GAMP stays for “Good Automated Manufacturing Practice” and it is a guideline which is published by the ISPE, International Society for Pharmaceutical Engineering. The guideline is currently in Version 5.
Good Automated Manufacturing Practice, Founded in 1991. International Society for Pharmaceutical Engineering (ISPE) sets the guidelines for manufacturers and the current Version is GAMP 5.
GAMP-5 is very important especially when the software application is provided by a supplier external to the organization. In fact this regulation requires users and suppliers to work together, each of them according to specific responsibilities, two gain the full validation of the software system.
Specifically, for the users, GAMP-5 provides a framework for validation activities to ensure that the system is fully validated according to its intended user before it moves to production. Suppliers, at the same time, can use GAMP to test the SW application for avoidable defects in the supplied system to ensure quality products are produced.
The Principles of GAMP-5 Guidelines
The GAMP-5 guideline for computer system validation is based on five principles:
- Product and Process Understanding
- Lifecycle approach within QMS
- Scalable Lifecycle Activities
- Science Based Quality Risk Management
- Leveraging Supplier Involvement
Product and Process Understanding
It is essential to fully understand the software product and the related process in order to complete a validation activity. the validation effort shall be concluded with a “Fit for Use” statements and this cannot be performed if the most critical product functionalities are completely understood and tested. The critical functionalities are the ones that have an impact on the safety of the patient, on quality of the product and on security and integrity of the data.
Lifecycle approach within QMS
The lifecycle management of the computer systems under validation need to be managed within the quality management system of the organization. This practically means, as per GAMP-5 methodology, to have a detailed SOP highlighting how each state of the lifecycle of the software application is managed.
Having all the phases of the software lifecycle integrated within the quality system means providing evidence that the requirements are indeed defined within the concept phase or having detailed SOP for release, maintenance and retirement of the software.
Scalable Lifecycle Activities
The lifecycle activities of the software application under validation can be scaled or modelled according to different parameters:
- System impact on patient safety, product quality, and data integrity (Risk Assessment)
- System complexity and novelty
- Outcome of supplier assessment
The V model which, according to GAMP-5, is taken as reference for the lifecycle model of the software application under validation. This is where different GAMP-5 categories can be used to classify the software applications; the strength of the validation efforts are dependent from each category. You can refer to the procedure P-06 : Computer System Validation for a description of the different categories.
The V model can be altered or modified according to the parameters mentioned above. GAMP 5 make it clear the type of validation requirements associated with a system should be tied to how new and complex they are; thus it is tied to the different GAMP-5 categories.
Science Based Quality Risk Management
The GAMP-5 approach suggests to concentrate validation efforts on the most critical functions of the software application, which should be identified using a risk management approach. This is where a clear comprehension of the product and the process is crucial to determine the potential risks to patient safety, product quality and data integrity.
In order to apply risk management approach, the organization shall proceed in a stepwise manner, based on the following sequence:
- Identify functions which impact patient safety, product quality and data integrity
- Perform functional risk assessments
- Implement and verify appropriate controls
- Review risks and monitor the implemented controls
For the methodology of how functional risk assessment shall be implemented, refer to the computer system validation procedure:
Leverage the involvement of the supplier
According to GAMP-5, the organization is definitely responsible for performing validation of the software application they are using. However, regulated companies can leverage their supplier’s own documentation, including existing test documentation to avoid wasteful effort and duplication. Collaboration between suppliers and the organization responsible for validation is of fundamental importance to ensure the validation efforts are meaningful.