COMPLIANCE ACCELERATED

White Paper:
GAMP5: A Risk-based
Approach to Compliant
GxP Computerized Systems

White Paper
COMPLIANCE ACCELERATED

The new GAMP5 guidelines were released February 2008 at the ISPE Manufacturing Excellence
Conference in Tampa, Florida. These guidelines are the latest, up-to-date thinking in the approach to
validation of GxP computerized systems. The purpose of the guidelines is to provide a cost effective
framework of good practice to ensure that computerized systems are fit for use and compliant with
regulation. 1
GAMP History
GAMP (Good Automated Manufacturing Practice) was started in 1991 by a group of pharmaceutical
experts in the UK who wanted to meet the changing FDA expectations for GMP compliance
of manufacturing and related systems. They joined forces with ISPE (International Society for
Pharmaceutical Engineering) as a technical sub-committee and in 1995 released the first GAMP
guidelines. GAMP 4, which was released in 2001, has been one of the standards GxP companies have
been using for computerized system validation for the last seven years.
Today GAMP is a global organization which has communities of practice (COP) in Europe, Japan,
and the Americas. The GAMP guidances are accepted by regulators world wide and referenced by the
FDA and PIC/S in their documents.
Why GAMP 5 Now?
Since the release of GAMP 4 in 2001 the regulatory bodies had made significant updates in their
thinking and approach to regulatory compliance. These changes include;
FDA cGMPs for the 21st Century initiative and associated guidance promoting science-based risk
management.
ICH Guidance Q8, Q9, and soon to be released Q10, which is expected to promote science based
risk management.
PIC/S Guidance Practice for Computerized Systems in Regulated GxP Environments which clarify
regulatory expectations.
GAMP also designed GAMP 5 to be compatible with IEEE standards, ISO 9000 and 12207, IT
Infrastructure Library (ITIL), and other international standards.
GAMP also wanted to:
Focus attention on computerized systems that most impact patient safety, product quality, and data
integrity
Leverage supplier activities to the maximum possible extent while ensuring fitness for intended use

GAMP5: A Risk-based Approach to Compliant GxP Computerized Systems

White Paper
COMPLIANCE ACCELERATED

Recognize that most computerized systems are now based on configurable packages
GAMP 5 Overview
GAMP wants to make it clear that GAMP 5 is not a prescriptive method or standard, but rather
provides pragmatic guidance, approaches and tools for the practitioner. 1 This means that companies
should use these guidelines along with other guidelines and industry best practice to determine the best
approach for validating GxP computerized systems.
There are five key concepts to GAMP 5

Product and Process Understanding

Lifecycle approach within QMS
Scalable Lifecycle Activities
Science Based Quality Risk Management
Leveraging Supplier Involvement

Product and Process Understanding

Understanding the product and process is critical in determining system requirements and for making
science and risk-based decisions to ensure that the system is fit for use. In determining fit for use,
attention should be focused on those aspects that are critical to patient safety, product quality, and data
integrity. 1
GAMP5: A Risk-based Approach to Compliant GxP Computerized Systems

White Paper
COMPLIANCE ACCELERATED

Product and process knowledge is also important in other phases of the computerized software lifecycle
including the operation phase. Here it is important to have knowledge of the product and process to
determine if changes to the system or failures of the system could affect patient safety, product quality,
or data integrity.
Lifecycle Approach within a QMS
Defining a lifecycle approach to a computerized system has been expanded from GAMP 4 to include
all phases and activities from concept and implementation through operation and retirement. These
activities should be defined within the quality management system (QMS). This allows for a consistent
approach across all systems.
There are four major phases defined for any system:

Concept
Project
Operation
Retirement

GAMP recognizes that suppliers can be valuable in assisting the companies in any or all phases of the
lifecycle.

GAMP5: A Risk-based Approach to Compliant GxP Computerized Systems

White Paper
COMPLIANCE ACCELERATED

Scalable Lifecycle Activities

Within the GAMP 5 guidelines GAMP outlines that lifecycle activities should be scaled according to:
System impact on patient safety, product quality, and data integrity (Risk Assessment)
System complexity and novelty
Outcome of supplier assessment
There may be other factors that companies may want to consider when making assessments, but this
process should be documented and follow established policies and procedures. By conducting this
assessment companies can scale their validation effort and other lifecycle activities to the appropriate
levels.
Because of the use of a scaled approach, GAMP has reassessed their V-model and has generalized
the model to account for other possible approaches.

This model can be expanded or even reduced depending on the scale or scope of the system being
validated. GAMP gives three practical examples of the V-model in their guidelines.

GAMP5: A Risk-based Approach to Compliant GxP Computerized Systems

White Paper
COMPLIANCE ACCELERATED

Science Based Quality Risk Management

Science Based Quality Risk Management allows companies to focus on critical aspects of the
computerized system and develop controls to mitigate those risks. This is where a clear understanding
of the product and process is critical to determine potential risks to patient safety, product quality, and
data integrity.
GAMP 5 describes and talks about a five step process for risk management based on ICH Guidelines.
They acknowledge that this is not the only approach and that each company needs to decide what
approach best works for its intended use.

GAMP5: A Risk-based Approach to Compliant GxP Computerized Systems

White Paper
COMPLIANCE ACCELERATED

Risks that have been identified can be mitigated by:

Elimination by design
Reduction to suitable level
Verification to demonstrate that the risks are managed to an acceptable level
Leveraging Supplier Involvement
Regulated companies regularly involve suppliers throughout the system lifecycle. Suppliers have the
knowledge, experience, and documentation to assist companies throughout the systems lifecycle.
GAMP 5 suggests regulated companies need to maximize that involvement to determine how best
to use supplier documentation, including existing test documentation, to avoid wasteful effort and
duplication. Documentation should be assessed for suitability, accuracy, and completeness. There
should be flexibility regarding acceptable format, structure and documentation practices. 1
Suppliers can be used to assist companies with:

Gathering requirements
Creation of functional and other specifications
System configuration
Testing
Support
Maintenance
System retirement

It is important to remember that the regulated company has the responsibility for the documentation,
approval, and compliance of each element of the computerized system lifecycle. With increased
involvement of the supplier in the lifecycle, regulated companies need to assess that the supplier has
processes in place to ensure quality of the product. GAMP has included a section in GAMP 5 dedicated
to supplier activities to assist suppliers in understanding the needs of their customers.
Other Highlights
Verification vs. Validation
Throughout the guidelines GAMP in many places uses verification in place of validation where
appropriate. The industry has used validation inappropriately for many years now. Verification is
defined as the confirmation that the specifications have been met. The verification process may involve
reviews and testing.

GAMP5: A Risk-based Approach to Compliant GxP Computerized Systems

White Paper
COMPLIANCE ACCELERATED

Category Updates
As computerized systems have changed over the years GAMP has updated the categories used to define
computerized systems. The most significant change is the removal of category 2 firmware from
the list. Due to the improvements in firmware, firmware has become so complex that it is no longer
functionally distinguishable from software.
Other changes include updating the categories names to better define the categories. Below is a chart
showing the differences between GAMP 4 and GAMP 5.
Category

GAMP 4

GAMP 5

1
OS
Infrastructure (OS, DB, MW, etc.)
2
Firmware
-REMOVED3
Standard Software
Non-configurable Software
4
Configurable Software
Configurable Software
5
Custom Software
Customizable Software

Updated Templates
Based on the changes to the GAMP guidelines, the templates in the appendices have also been updated
to reflect the changes to GAMP 5 and other regulatory requirements. These templates are useful for
creating or updating your policies, procedures, or processes. The appendix gives more examples on
how and incorporates comments, suggestions, and changes over the last seven years.
The Operational appendices have been updated to cover all phases of the Operation Phase. A new
appendix has been introduced, called Special Interest Topics, which adds to the extensive number of
templates.
Conclusion
While there are new revolutionary concepts in GAMP 5, it does bring together the latest industry
and regulatory thinking in GxP computerized system validation into one concise guidance. By using
the basic concepts that the GAMP, FDA, PIC/S, and other groups have been toutingsuch as using
a scientific risked based approach to validation and leveraging vendor documentationregulated
companies can reduce the time and cost necessary for validation and maintain their systems in a
compliant state.
For more information or to order the GAMP 5 guidelines see the ISPE website at www.ispe.org.
Reference
1. GAMP5: A Risk-Based Approach to Compliant GxP Computerized Systems. Copyright ISPE
2008. All right reserved. www.ISPE.org.

GAMP5: A Risk-based Approach to Compliant GxP Computerized Systems

White Paper
COMPLIANCE ACCELERATED

About MasterControl Inc.

MasterControl produces software solutions that enable regulated companies to get their products to
market faster, while reducing overall costs and increasing internal efficiency. MasterControl securely
manages a companys critical information throughout the entire product lifecycle. Our software is
known for being easy to implement, easy to validate and easy to use. MasterControl QMS and QEM
solutions include quality management, document management/document control, product lifecycle
management, audit management, training management, bill of materials, supplier management,
submissions management, and more. Supported by a comprehensive array of services based on industry
best practices, MasterControl provides our customers with a complete information management
solution across the entire enterprise. For more information about MasterControl, visit
www.mastercontrol.com, or call: 1.800.825.9117 (U.S.); +44 (0) 1256 325 949 (Europe); or
+81 (03) 6801 6147 (Japan).

2010 MasterControl Inc. All rights reserved.

REV: 0010

GAMP5: A Risk-based Approach to Compliant GxP Computerized Systems

COMPLIANCE ACCELERATED

MasterControl Inc.
Corporate Headquarters:
MasterControl Inc.
6322 S. 3000 E. Ste. 110
Salt Lake City, UT 84121
United States
Phone: 800.825.9117
Fax: 801.942.7088
www.mastercontrol.com

Asian Headquarters:
MasterControl KK
Aios Akihabara 702
3-2-2 Ueno Taito-ku
Tokyo 110-0005
Japan
Phone: +81 (3) 6801 6147
Fax: +81 (3) 6801 6148
www.mastercontrol.co.jp

European Headquarters:
MasterControl Global Limited
First Floor North Wing
Matrix House
Basing View
Basingstoke
RG21 4FF
United Kingdom
Phone: +44 (0) 1256 325 949
Fax: +44 (0) 1256 325 289
www.mastercontrolglobal.co.uk
Germany Office
Mendelstrasse 11
48149 Muenster
Germany
Phone: +49 (0) 251 980 2140
Fax: +49 (0) 251 980 2149
www.mastercontrol-global.de
Email: info@mastercontrol.com