White Paper: GAMP®5: A Risk-based Approach to Compliant GxP Computerized Systems

White Paper

2GAMP®5: A Risk-based Approach to Compliant GxP Computerized Systems

The new GAMP®5 guidelines were released February 2008 at the ISPE Manufacturing Excellence Conference in Tampa, Florida. These guidelines are the latest, up-to-date thinking in the approach to validation of GxP computerized systems. The purpose of the guidelines is to “provide a cost effective framework of good practice to ensure that computerized systems are fit for use and compliant with regulation.” 1

GAMP HistoryGAMP (Good Automated Manufacturing Practice) was started in 1991 by a group of pharmaceutical experts in the UK who wanted to meet the changing FDA expectations for GMP compliance of manufacturing and related systems. They joined forces with ISPE (International Society for Pharmaceutical Engineering) as a “technical sub-committee” and in 1995 released the first GAMP guidelines. GAMP 4, which was released in 2001, has been one of the standards GxP companies have been using for computerized system validation for the last seven years.

Today GAMP is a global organization which has “communities of practice” (COP) in Europe, Japan, and the Americas. The GAMP guidances are accepted by regulators world wide and referenced by the FDA and PIC/S in their documents.

Why GAMP 5 Now?Since the release of GAMP 4 in 2001 the regulatory bodies had made significant updates in their thinking and approach to regulatory compliance. These changes include;

FDA cGMPs for the 21st Century initiative and associated guidance promoting science-based risk • management.

ICH Guidance Q8, Q9, and soon to be released Q10, which is expected to promote science based • risk management.

PIC/S Guidance Practice for Computerized Systems in Regulated GxP Environments which clarify • regulatory expectations.

GAMP also designed GAMP 5 to be compatible with IEEE standards, ISO 9000 and 12207, IT Infrastructure Library (ITIL), and other international standards.

GAMP also wanted to:

Focus attention on computerized systems that most impact patient safety, product quality, and data • integrity

Leverage supplier activities to the maximum possible extent while ensuring fitness for intended use •

White Paper

3GAMP®5: A Risk-based Approach to Compliant GxP Computerized Systems

Recognize that most computerized systems are now based on configurable packages•

GAMP 5 OverviewGAMP wants to make it clear that GAMP 5 is “not a prescriptive method or standard, but rather provides pragmatic guidance, approaches and tools for the practitioner.” 1 This means that companies should use these guidelines along with other guidelines and industry best practice to determine the best approach for validating GxP computerized systems.

There are five key concepts to GAMP 5

Product and Process Understanding• Lifecycle approach within QMS• Scalable Lifecycle Activities• Science Based Quality Risk Management• Leveraging Supplier Involvement•

Product and Process Understanding Understanding the product and process is critical in determining system requirements and for making science and risk-based decisions to ensure that the system is “fit for use.” In determining “fit for use,” attention should be focused on “those aspects that are critical to patient safety, product quality, and data integrity.” 1

White Paper

4GAMP®5: A Risk-based Approach to Compliant GxP Computerized Systems

Product and process knowledge is also important in other phases of the computerized software lifecycle including the “operation” phase. Here it is important to have knowledge of the product and process to determine if changes to the system or failures of the system could affect patient safety, product quality, or data integrity.

Lifecycle Approach within a QMSDefining a lifecycle approach to a computerized system has been expanded from GAMP 4 to include all phases and activities from concept and implementation through operation and retirement. These activities should be defined within the quality management system (QMS). This allows for a consistent approach across all systems.

There are four major phases defined for any system:

Concept• Project• Operation• Retirement •

GAMP recognizes that suppliers can be valuable in assisting the companies in any or all phases of the lifecycle.

White Paper

5GAMP®5: A Risk-based Approach to Compliant GxP Computerized Systems

Scalable Lifecycle ActivitiesWithin the GAMP 5 guidelines GAMP outlines that lifecycle activities should be scaled according to:

System impact on patient safety, product quality, and data integrity (Risk Assessment)• System complexity and novelty• Outcome of supplier assessment•

There may be other factors that companies may want to consider when making assessments, but this process should be documented and follow established policies and procedures. By conducting this assessment companies can scale their validation effort and other lifecycle activities to the appropriate levels.

Because of the use of a “scaled” approach, GAMP has reassessed their V-model and has “generalized” the model to account for other possible approaches.

This model can be expanded or even reduced depending on the scale or scope of the system being validated. GAMP gives three practical examples of the V-model in their guidelines.

White Paper

6GAMP®5: A Risk-based Approach to Compliant GxP Computerized Systems

Science Based Quality Risk ManagementScience Based Quality Risk Management allows companies to focus on critical aspects of the computerized system and develop controls to mitigate those risks. This is where a clear understanding of the product and process is critical to determine potential risks to patient safety, product quality, and data integrity.

GAMP 5 describes and talks about a five step process for risk management based on ICH Guidelines. They acknowledge that this is not the only approach and that each company needs to decide what approach best works for its intended use.

White Paper

7GAMP®5: A Risk-based Approach to Compliant GxP Computerized Systems

Risks that have been identified can be mitigated by:

Elimination by design• Reduction to suitable level• Verification to demonstrate that the risks are managed to an acceptable level•

Leveraging Supplier InvolvementRegulated companies regularly involve suppliers throughout the system lifecycle. Suppliers have the knowledge, experience, and documentation to assist companies throughout the system’s lifecycle. GAMP 5 suggests regulated companies need to maximize that involvement to “determine how best to use supplier documentation, including existing test documentation, to avoid wasteful effort and duplication. … Documentation should be assessed for suitability, accuracy, and completeness. There should be flexibility regarding acceptable format, structure and documentation practices.” 1

Suppliers can be used to assist companies with:

Gathering requirements• Creation of functional and other specifications• System configuration• Testing• Support• Maintenance• System retirement•

It is important to remember that the regulated company has the responsibility for the documentation, approval, and compliance of each element of the computerized system lifecycle. With increased involvement of the supplier in the lifecycle, regulated companies need to assess that the supplier has processes in place to ensure quality of the product. GAMP has included a section in GAMP 5 dedicated to supplier activities to assist suppliers in understanding the needs of their customers.

Other Highlights

Verification vs. ValidationThroughout the guidelines GAMP in many places uses “verification” in place of “validation” where appropriate. The industry has used “validation” inappropriately for many years now. Verification is defined as the confirmation that the specifications have been met. The verification process may involve reviews and testing.

White Paper

8GAMP®5: A Risk-based Approach to Compliant GxP Computerized Systems

Category UpdatesAs computerized systems have changed over the years GAMP has updated the categories used to define computerized systems. The most significant change is the removal of category 2 “firmware” from the list. Due to the improvements in firmware, firmware has become so complex that it is no longer functionally distinguishable from software.

Other changes include updating the categories names to better define the categories. Below is a chart showing the differences between GAMP 4 and GAMP 5.

Category GAMP 4 GAMP 5

1 OS Infrastructure (OS, DB, MW, etc.)2 Firmware -REMOVED-3 Standard Software Non-configurable Software4 Configurable Software Configurable Software5 Custom Software Customizable Software

Updated TemplatesBased on the changes to the GAMP guidelines, the templates in the appendices have also been updated to reflect the changes to GAMP 5 and other regulatory requirements. These templates are useful for creating or updating your policies, procedures, or processes. The appendix gives more examples on “how” and incorporates comments, suggestions, and changes over the last seven years.

The Operational appendices have been updated to cover all phases of the Operation Phase. A new appendix has been introduced, called “Special Interest Topics,” which adds to the extensive number of templates.

ConclusionWhile there are new revolutionary concepts in GAMP 5, it does bring together the latest industry and regulatory thinking in GxP computerized system validation into one concise guidance. By using the basic concepts that the GAMP, FDA, PIC/S, and other groups have been touting—such as using a scientific risked based approach to validation and leveraging vendor documentation—regulated companies can reduce the time and cost necessary for validation and maintain their systems in a compliant state.

For more information or to order the GAMP 5 guidelines see the ISPE website at www.ispe.org.

ReferenceGAMP1. ®5: A Risk-Based Approach to Compliant GxP Computerized Systems. © Copyright ISPE 2008. All right reserved. www.ISPE.org.

White Paper

9GAMP®5: A Risk-based Approach to Compliant GxP Computerized Systems

About MasterControlMasterControl Inc. is a global provider of GxP process, quality audit, and document management software solutions for life science companies. MasterControl™ products are easy to use, easy to deploy, easy to validate, and easy to maintain. They incorporate industry best practices for automating and connecting every stage of the product development cycle, while facilitating regulatory compliance. By combining an integrated platform with a continuum of risk-based software validation products and services, MasterControl drives down the total cost of ownership and enables customers to extend their investment across the enterprise. Hundreds of companies, including 50 percent of the top 20 pharmaceutical enterprises, currently use MasterControl solutions for easier compliance, faster validation, and better process management. For more information about MasterControl, visit www.mastercontrol.com, or call 800-825-9117 (U.S.) or +44 118 9812838 (Europe).

MasterControl Inc.

USA 6322 S. 3000 E. Suite 110Salt Lake City, UT 84121

P. 800.825.9117F. 801.942.7088 www.mastercontrol.com Europe 7200 The QuorumOxford Business Park NorthGarsington RoadOxford OX4 2JZUnited Kingdom

P. +44 (0) 1865 481481F. +44 (0) 1865 481482 www.mastercontrolglobal.co.uk