GAMP 5®: A Risk-Based Approach to GP Computerised Systems

cognidox-gamp-5 (1)The Good Automated Manufacturing Practice (GAMP 5 ®) guidelines define a set of core principles for GxP, as produced by the ISPE (International Society for Pharmaceutical Engineering). 

These guidelines are intended to ensure that pharmaceutical or medical device products are manufactured to the required quality. In doing so they detail a recognised standard for computer system validation (CSV) underpinned by the risk-based approach which is so much a feature of the regulatory landscape today.

What is GAMP 5?

GAMP is dedicated to creating global “communities of practice” in Pharmaceutical engineering and med tech. GAMP 5 ® is the ISPE's best practice guidance which has been accepted by regulators worldwide (including the FDA) and is widely referenced in their literature and documentation.

According to the ISPE their publication does not represent

“a prescriptive method or standard, but rather provides pragmatic guidance, approaches and tools for the practitioner”

Thus, the publication brings together the most up-to-date thinking on approaches to systems validation providing

‘a cost effective framework… to ensure that computerised systems are fit for use and compliant with regulation’.

One of the central tenets of GAMP 5 ® is that quality cannot be tested into a batch of product or device, but instead needs to be built into every stage of the manufacturing process.

GAMP 5 ®, therefore, sets out guidelines for systems’ validation governed by five key concepts rooted in risk-based thinking.

Five principles of GAMP 5’s risk-based approach to compliant GxP Computerised Systems

1. Product and process understanding

Manufacturers must understand exactly what the product is - its intended use and purpose - plus the purpose of the processes needed to develop it, in order to determine system requirements accurately. They need this understanding to make critical science and risk-based decisions to ensure computerised manufacturing systems are ‘fit for use’.

An understanding of product and process is also vital to minimising the risk of failure to systems within the operation cycle of software. Owning an intimate knowledge of the product means manufacturers will be better placed to determine how potential changes to the system could affect the overall safety of the end product and the risk of harm to individuals.

Attention should, at all times, be focused on all those aspects of the system that are critical to ‘patient safety, product quality and data integrity’.

DHF, DMR and DHR: Demystifying FDA medical device development requirements

2. Managing lifecycles within a QMS

Manufacturers need to define their approach to the life cycle management of the computerised systems responsible for producing the products they are making - all the way from concept and implementation through to operation and retirement.

All of the above needs to be defined and documented within a Quality Management System, showing how system requirements are specified in the concept phase, how a system is to be released and maintained and then how it is to be retired. This will include how data or functional migration is handled. This risk-based approach is, therefore, intended to focus validation efforts on preventing dangerous omissions or errors creeping into computerised systems or their operation throughout their working life.

3. Scalable lifecycle management

However, GAMP 5 also states that lifecycle activities should be scaled according to:

  • The system’s potential to impact on patient safety, quality of product and integrity of data
  • The levels of the system’s complexity and novelty
  • Any outcomes of supplier assessments

GAMP 5 acknowledges that businesses may be using different kind of systems, which pose different kinds of potential risks and do not need to be tested in the same way. Some of these systems are supplied by third parties and are off-the-shelf, others are configured in a bespoke way and some are built entirely from scratch.

GAMP 5 make it clear the type of validation requirements associated with a system should be tied to how new and complex they are (and thus the risk of failure they pose).

For example, with a configured product (specified as Category 4 in GAMP), testing should be conducted to verify all the requirements, functional and configuration specifications.

However, functional and configuration specifications would not be required for commercial off-the-shelf software (specified as Category 3 in GAMP). Consequently, the extent of the testing you would be required to perform would also be reduced.

A risk-based approach to systems validation, therefore, makes the extent of required lifecycle activities like these much more achievable and cost-effective for SMEs - as well as more commensurate with the likelihood of their failure and the potential risk to end-users involved.

4. Taking a scientific approach to risk management

GAMP 5 also recommends companies focus on critical aspects of the information system and use it to develop controls to mitigate the risk of systems failure. This is where a clear comprehension of the product and the process is crucial to determine the potential risks to individual safety. And when it comes to implementing these controls, it’s obvious how using a QMS underpinned by powerful digital tools for document management can help:

  • Step 1 - Perform initial risk assessment and determine potential system impact
  • Step 2 - Identify functions which impact patient safety, product quality and data integrity
  • Step 3 - Perform functional risk assessments and identify controls
  • Step 4 - Implement and verify appropriate controls
  • Step 5 - Review risks and monitor controls

If every part of your process is documented and locked for editing within a digital QMS, with audit histories available and rigorous change controls built-in through a DMS, then risk management of this kind becomes more efficient and effective.

Once risks are identified through audit and analysis, they can then be mitigated through:

  • Redesign to eliminate issues
  • Reduction of risk to a suitable level
  • Verification to demonstrate that risks can be/are managed at an acceptable level

Having the right document management system underpinning your QMS can ensure that all these risk management measures are automatically recorded, tested and validated as you undertake them.

How to talk to the FDA

5. Lever the involvement of suppliers

GAMP 5 reminds manufacturers that they are responsible for being able to produce the documentation, approval and compliance history of each element of the computerised system. However, regulated companies can ‘leverage their supplier's own documentation, including existing test documentation to avoid wasteful effort and duplication.’ GAMP 5 also notes there can be ‘flexibility regarding acceptable format, structure and documentation practices’.

This is an opportunity to maximise efficiencies for SMEs who may have outsourced significant pieces of digital infrastructure to third party suppliers. But being able to collaborate closely with the suppliers does requires the right kind of contractual relationship being in place and the right kind of collaboration tools to facilitate secure file and IP sharing.


GAMP 5 outlines a risk based approach to Compliant GxP Computerised systems that can help manufacturers streamline their processes even as their regulatory obligations increase and supply chains become more complex.

A good Quality Management System underpinned by robust document control functionality - can help companies create and document these risk -based software validation processes, so that they are streamlined and auditable at the touch of a button. Chosen carefully, these digital QMS systems can also offer sophisticated collaboration tools so that suppliers can share required documentation quickly and securely.


A comprehensive guide to GxP compliance

Tags: Medical Device Development

Joe Byrne

Written by Joe Byrne

Joe Byrne is the CEO of Cognidox. With a career spanning medical device start-ups and fortune 500 companies, Joe has over 25 years of experience in the medical device and high-tech product development industries. With extensive experience in scaling businesses, process improvement, quality, medical devices and product development, Joe is a regular contributor to the Cognidox DMS Insights blog where he shares expertise on scaling and streamlining the entire product development cycle, empowering enterprises to achieve governance, compliance, and rigour.

Related Posts

Medical Device Risk Management: ISO 13485 and ISO 14971 Compliance

ISO 14971:2019 defines the international requirements of risk management systems for medical ...

Navigating UKCA Marking for Medical Devices: What You Need to Know

Post-Brexit, there is still confusion about the future use of the UKCA (UK Conformity Assessed) ...

Medical Device Technical File requirements: what you need to know

What is the medical device technical file? What should it contain and how should it be structured? ...