GAMP 5: Ten Years On

Ten years after its publication, the ISPE GAMP® 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems is regarded as the definitive industry guidance on GxP^∗ computerized system compliance and validation for companies and suppliers and is referenced by regulators worldwide.

This article examines whether the guide is still current, and considers where the Good Automated Manufacturing Practice (GAMP) community should focus its guidance efforts.

GAMP 5 was developed by the ISPE GAMP Community of Practice (CoP), a worldwide group of practitioners and subject-matter experts, with significant input and review from international regulators. In 2017, the CoP leadership began a formal review of GAMP 5 to determine whether it still met its objectives and to focus its efforts on areas where there is most need and benefit.

DATA INTEGRITY

The importance of data integrity is stressed in recent guidance, citations, and public comments. GAMP 5’s stated aim is to assist in achieving patient safety, product quality, and data integrity, while enabling innovation and technological advances. Patient safety is affected by the integrity of critical records, data, and decisions, as well as by aspects that affect physical attributes of the product. To underline this point, the phrase “patient safety, product quality, and data integrity” is used throughout the Guide.

The new ISPE GAMP Records and Data Integrity Guide (RDI), first published in 2017, takes this further. It provides principles and practical guidance for meeting current expectations involved in managing GxP-regulated records and data, ensuring that they are complete, secure, accurate, and available throughout their life cycle.

While GAMP 5 is focused primarily on compliant computerized systems and their life cycles, RDI takes a wider perspective, covering the data governance framework (including human factors), corporate data integrity programs, and the complete data life cycle, which may span several systems. It describes a holistic and flexible risk-management approach for ensuring the integrity of records and data. This is achieved by applying appropriate controls to manage identified risks within the regulated process, commensurate with the level of risk.

The two guides are complementary, yet focused on their individual objectives. They provide a framework for compliant and validated computerized systems, with GAMP 5 providing a solid foundation for record and data integrity across the regulated organization.

The GAMP CoP Analysis was led by Mike Rutherford (then-GAMP Global Chair, now a director on the ISPE International Board), Chris Clark (GAMP Editorial Review Board Chair), and Siôn Wyn (ISPE Technical Consultant).

For each GAMP 5 section and appendix, the team examined the effects of technical and regulatory updates since the original publication, focusing on substantive topics and guidance rather than background, historical, or supporting information. When identifying potential gaps or enhancements, the team identified:

• Where they are addressed in existing GAMP Guidance
• Where current GAMP activity is addressing the issue, with intent to publish
• Where a new GAMP activity/deliverable is likely to be required

The analysis showed that the principles and concepts of GAMP 5 have not been transformed by the changing regulatory environment. However, some themes and areas were identified for enhancement and improvement:

• Increasing prevalence of third-party service providers, including cloud service providers* 
• Current methods and approaches for software development, e.g., iterative and incremental methods, such as Agile^† 
• Increased use of tools, including the move from a document-based process toward automated tool-based processes such as requirements capture, specification, testing, installation, traceability, and configuration management^†
   

* International life science requirements, such as those set forth in the US FD&C Act, US PHS Act, FDA regulations, EU Directives, Japanese MHLW regulations, or other applicable national legislation or regulations under which a company operates. (ISPE Glossary)

Future Topics

Existing GAMP Good Practice Guides (GPGs) were also reviewed. All were found to be current, except for the GAMP Electronic Data Archiving Good Practice Guide, published in 2007. For reasons of alignment and relevance, key topics on electronic data archiving will be included in a forthcoming Data Integrity Good Practice Guide.

Other topics identified for further discussion and potential publication include serialization, cybersecurity, blockchain technology, and innovative development approaches.

The GAMP Data Integrity Special Interest Group (SIG) is also working on a GPG that covers key concepts and hot topics introduced in the RDI Guide, as well as in-depth practical approaches for data integrity for manufacturing systems, laboratory systems, and data retention.

Conclusions

Based on this analysis, the primary guidance in GAMP 5 (and supporting GPGs) is deemed current and relevant, including key concepts on the life cycle and its phases, specification and verification approach, quality risk management, and governance. Together, GAMP 5 and the RDI Guide provide a comprehensive, coherent, and effective framework for meeting current quality, regulatory, and technological challenges. Furthermore, GAMP CoP teams are already working in new key areas of innovation and opportunity, including further detailed guidance on data integrity. 

* The GAMP Cloud SIG has been actively producing articles and papers for ISPE publication, including a series of concept papers.
† The GAMP Agile SIG is now active and considering potential publications in both of these areas.