These guidelines are intended to ensure that pharmaceutical or medical device products are manufactured to the required quality. In doing so they detail a recognised standard for computer system validation (CSV) underpinned by the risk-based approach which is so much a feature of the regulatory landscape today.
What is GAMP 5?
GAMP is dedicated to creating global “communities of practice” in Pharmaceutical engineering and med tech. GAMP 5 ® is the ISPE's best practice guidance which has been accepted by regulators worldwide (including the FDA) and is widely referenced in their literature and documentation.
According to the ISPE their publication does not represent
“a prescriptive method or standard, but rather provides pragmatic guidance, approaches and tools for the practitioner”
Thus, the publication brings together the most up-to-date thinking on approaches to systems validation providing
‘a cost effective framework… to ensure that computerised systems are fit for use and compliant with regulation’.
One of the central tenets of GAMP 5 ® is that quality cannot be tested into a batch of product or device, but instead needs to be built into every stage of the manufacturing process.
GAMP 5 ®, therefore, sets out guidelines for systems’ validation governed by five key concepts rooted in risk-based thinking.
Five principles of GAMP 5’s risk-based approach to compliant GxP Computerised Systems
1. Product and process understanding
Manufacturers must understand exactly what the product is - its intended use and purpose - plus the purpose of the processes needed to develop it, in order to determine system requirements accurately. They need this understanding to make critical science and risk-based decisions to ensure computerised manufacturing systems are ‘fit for use’.
An understanding of product and process is also vital to minimising the risk of failure to systems within the operation cycle of software. Owning an intimate knowledge of the product means manufacturers will be better placed to determine how potential changes to the system could affect the overall safety of the end product and the risk of harm to individuals.
Attention should, at all times, be focused on all those aspects of the system that are critical to ‘patient safety, product quality and data integrity’.
2. Managing lifecycles within a QMS
Manufacturers need to define their approach to the life cycle management of the computerised systems responsible for producing the products they are making - all the way from concept and implementation through to operation and retirement.
All of the above needs to be defined and documented within a Quality Management System, showing how system requirements are specified in the concept phase, how a system is to be released and maintained and then how it is to be retired. This will include how data or functional migration is handled. This risk-based approach is, therefore, intended to focus validation efforts on preventing dangerous omissions or errors creeping into computerised systems or their operation throughout their working life.
3. Scalable lifecycle management
However, GAMP 5 also states that lifecycle activities should be scaled according to:
- The system’s potential to impact on patient safety, quality of product and integrity of data
- The levels of the system’s complexity and novelty
- Any outcomes of supplier assessments
GAMP 5 acknowledges that businesses may be using different kind of systems, which pose different kinds of potential risks and do not need to be tested in the same way. Some of these systems are supplied by third parties and are off-the-shelf, others are configured in a bespoke way and some are built entirely from scratch.
GAMP 5 make it clear the type of validation requirements associated with a system should be tied to how new and complex they are (and thus the risk of failure they pose).
For example, with a configured product (specified as Category 4 in GAMP), testing should be conducted to verify all the requirements, functional and configuration specifications.
However, functional and configuration specifications would not be required for commercial off-the-shelf software (specified as Category 3 in GAMP). Consequently, the extent of the testing you would be required to perform would also be reduced.
A risk-based approach to systems validation, therefore, makes the extent of required lifecycle activities like these much more achievable and cost-effective for SMEs - as well as more commensurate with the likelihood of their failure and the potential risk to end-users involved.
4. Taking a scientific approach to risk management
GAMP 5 also recommends companies focus on critical aspects of the information system and use it to develop controls to mitigate the risk of systems failure. This is where a clear comprehension of the product and the process is crucial to determine the potential risks to individual safety. And when it comes to implementing these controls, it’s obvious how using a QMS underpinned by powerful digital tools for document management can help:
- Step 1 - Perform initial risk assessment and determine potential system impact
- Step 2 - Identify functions which impact patient safety, product quality and data integrity
- Step 3 - Perform functional risk assessments and identify controls
- Step 4 - Implement and verify appropriate controls
- Step 5 - Review risks and monitor controls
If every part of your process is documented and locked for editing within a digital QMS, with audit histories available and rigorous change controls built-in through a DMS, then risk management of this kind becomes more efficient and effective.
Once risks are identified through audit and analysis, they can then be mitigated through:
- Redesign to eliminate issues
- Reduction of risk to a suitable level
- Verification to demonstrate that risks can be/are managed at an acceptable level
Having the right document management system underpinning your QMS can ensure that all these risk management measures are automatically recorded, tested and validated as you undertake them.
5. Lever the involvement of suppliers
GAMP 5 reminds manufacturers that they are responsible for being able to produce the documentation, approval and compliance history of each element of the computerised system. However, regulated companies can ‘leverage their supplier's own documentation, including existing test documentation to avoid wasteful effort and duplication.’ GAMP 5 also notes there can be ‘flexibility regarding acceptable format, structure and documentation practices’.
This is an opportunity to maximise efficiencies for SMEs who may have outsourced significant pieces of digital infrastructure to third party suppliers. But being able to collaborate closely with the suppliers does requires the right kind of contractual relationship being in place and the right kind of collaboration tools to facilitate secure file and IP sharing.
GAMP 5 outlines a risk based approach to Compliant GxP Computerised systems that can help manufacturers streamline their processes even as their regulatory obligations increase and supply chains become more complex.
A good Quality Management System underpinned by robust document control functionality - can help companies create and document these risk -based software validation processes, so that they are streamlined and auditable at the touch of a button. Chosen carefully, these digital QMS systems can also offer sophisticated collaboration tools so that suppliers can share required documentation quickly and securely.