These guidelines are intended to ensure that pharmaceutical or medical device products are manufactured to the required quality. In doing so they detail a recognised standard for computer system validation (CSV) underpinned by the risk-based approach which is so much a feature of the regulatory landscape today.
GAMP is dedicated to creating global “communities of practice” in Pharmaceutical engineering and med tech. GAMP 5 ® is the ISPE's best practice guidance which has been accepted by regulators worldwide (including the FDA) and is widely referenced in their literature and documentation.
According to the ISPE their publication does not represent
“a prescriptive method or standard, but rather provides pragmatic guidance, approaches and tools for the practitioner”
Thus, the publication brings together the most up-to-date thinking on approaches to systems validation providing
‘a cost effective framework… to ensure that computerised systems are fit for use and compliant with regulation’.
One of the central tenets of GAMP 5 ® is that quality cannot be tested into a batch of product or device, but instead needs to be built into every stage of the manufacturing process.
GAMP 5 ®, therefore, sets out guidelines for systems’ validation governed by five key concepts rooted in risk-based thinking.
Manufacturers must understand exactly what the product is - its intended use and purpose - plus the purpose of the processes needed to develop it, in order to determine system requirements accurately. They need this understanding to make critical science and risk-based decisions to ensure computerised manufacturing systems are ‘fit for use’.
An understanding of product and process is also vital to minimising the risk of failure to systems within the operation cycle of software. Owning an intimate knowledge of the product means manufacturers will be better placed to determine how potential changes to the system could affect the overall safety of the end product and the risk of harm to individuals.
Attention should, at all times, be focused on all those aspects of the system that are critical to ‘patient safety, product quality and data integrity’.
DHF, DMR and DHR: Demystifying FDA medical device development requirements
Manufacturers need to define their approach to the life cycle management of the computerised systems responsible for producing the products they are making - all the way from concept and implementation through to operation and retirement.
All of the above needs to be defined and documented within a Quality Management System, showing how system requirements are specified in the concept phase, how a system is to be released and maintained and then how it is to be retired. This will include how data or functional migration is handled. This risk-based approach is, therefore, intended to focus validation efforts on preventing dangerous omissions or errors creeping into computerised systems or their operation throughout their working life.
However, GAMP 5 also states that lifecycle activities should be scaled according to:
GAMP 5 acknowledges that businesses may be using different kind of systems, which pose different kinds of potential risks and do not need to be tested in the same way. Some of these systems are supplied by third parties and are off-the-shelf, others are configured in a bespoke way and some are built entirely from scratch.
GAMP 5 make it clear the type of validation requirements associated with a system should be tied to how new and complex they are (and thus the risk of failure they pose).
For example, with a configured product (specified as Category 4 in GAMP), testing should be conducted to verify all the requirements, functional and configuration specifications.
However, functional and configuration specifications would not be required for commercial off-the-shelf software (specified as Category 3 in GAMP). Consequently, the extent of the testing you would be required to perform would also be reduced.
A risk-based approach to systems validation, therefore, makes the extent of required lifecycle activities like these much more achievable and cost-effective for SMEs - as well as more commensurate with the likelihood of their failure and the potential risk to end-users involved.
GAMP 5 also recommends companies focus on critical aspects of the information system and use it to develop controls to mitigate the risk of systems failure. This is where a clear comprehension of the product and the process is crucial to determine the potential risks to individual safety. And when it comes to implementing these controls, it’s obvious how using a QMS underpinned by powerful digital tools for document management can help:
If every part of your process is documented and locked for editing within a digital QMS, with audit histories available and rigorous change controls built-in through a DMS, then risk management of this kind becomes more efficient and effective.
Once risks are identified through audit and analysis, they can then be mitigated through:
Having the right document management system underpinning your QMS can ensure that all these risk management measures are automatically recorded, tested and validated as you undertake them.
GAMP 5 reminds manufacturers that they are responsible for being able to produce the documentation, approval and compliance history of each element of the computerised system. However, regulated companies can ‘leverage their supplier's own documentation, including existing test documentation to avoid wasteful effort and duplication.’ GAMP 5 also notes there can be ‘flexibility regarding acceptable format, structure and documentation practices’.
This is an opportunity to maximise efficiencies for SMEs who may have outsourced significant pieces of digital infrastructure to third party suppliers. But being able to collaborate closely with the suppliers does requires the right kind of contractual relationship being in place and the right kind of collaboration tools to facilitate secure file and IP sharing.
GAMP 5 outlines a risk based approach to Compliant GxP Computerised systems that can help manufacturers streamline their processes even as their regulatory obligations increase and supply chains become more complex.
A good Quality Management System underpinned by robust document control functionality - can help companies create and document these risk -based software validation processes, so that they are streamlined and auditable at the touch of a button. Chosen carefully, these digital QMS systems can also offer sophisticated collaboration tools so that suppliers can share required documentation quickly and securely.