GAMP5 2nd Edition & You: Categories of Software & Hardware

GAMP5 2nd Edition & You: Categories of Software & Hardware

The ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems (Second Edition) has been recently published. In this GAMP5 2nd Edition & You quick read series, Xevalics Consulting aims to highlight content updates in this new edition that may impact your current computer system validation (CSV) program.

Before continuing, we would like to recognize the extraordinary effort of leading authors who dedicated their time to having this publication ready in about a year (this is quite an accomplishment!)

This first post contains updates related to Appendix M4 – Categories of Software & Hardware.

This appendix has significantly changed from GAMP 5 First Edition (2008).

Software & Hardware Categories Viewed as a Continuum

Desert highway

Per the new edition:

  • “Computerized systems are generally made up of a combination of components from different categories; the categories should be viewed as a continuum” (GAMP5 2nd Ed, 2022)

Therefore, regulated companies should not ‘rigidly stick’ a computerized system into a single category to determine the approach and extent of the validation exercise or the computer system lifecycle. GAMP5 2nd Edition authors made a key point highlighting that “categorization is not intended to provide a checklist approach to validation.” (GAMP5 2nd Ed, 2022) From this perspective, regulated companies should apply critical thinking to determine the validation approach for the computerized system implementation, rather than use categories (especially software categories) as a cookie cutter prescription to define the validation deliverables required for the system implementation.

Life cycle activities scaling based on other factors besides software category

Category

Per the new edition:

  • “The software category is just one factor in a risk-based approach; the life cycle activities should be scaled based on the overall GxP impact, complexity, and novelty of the system (derived from the criticality of the business process supposed by the system)” (GAMP5 2nd Ed, 2022)

Following a risk-based approach for computerized systems validation is not a stranger for regulated companies. The risk-based approach concept was central to GAMP5 First Edition (2008). However, through all these years, regulated companies have been timid to embrace it fully. This hesitant response could result from two factors: 1) regulated companies choose a play-safe strategy by following a conservative mindset to CSV and generating all validation deliverables according to procedure per system category, or 2) lacking knowledge and resources on how to implement an effective quality risk-management approach.

With this new GAMP 5 edition, regulated companies should fully embrace the scale-up or down the life cycle activities following a risk-based approach. As usual, the validation approach decision and the rationale should be documented.

IT and Infrastructure Supporting Software, Systems, and Tools are now Software Category 1

Cloud computing information technology concept, data processing and storage platform connected to internet network, specialist engineering system

Per the new edition, software in Category 1 includes:

  • “Software, systems, and tools supporting computerized system life cycle activities and IT and infrastructure processes (as opposed to supporting business and pharmaceutical and medical device life cycle processes)” (GAMP5 2nd Ed, 2022)

The above was an expected significant update. This change in the software category for IT and Infrastructure supporting components aligns very much with the new FDA CSA draft guidance soon to be released. Under this new standard, the IT and Infrastructure supporting components life cycle should focus on installation verification and assess/record the tool adequacy for use. The rationale behind this approach is that this kind of component typically has none or minimal impact on product quality data or decisions and therefore has none or minimal GxP impact.

How do these GAMP 5 Second Edition updates may affect your CSV Program?

  • If your company CSV Program determines the extent of the system validation (e.g., need for an abbreviated vs. full life cycle approach) based on software/hardware category, your CSV Program might have to be updated to align this with the GAMP5 2nd Edition “continuum approach.”
  • Your CSV Program should be updated to define a validation approach for software, systems, and tools supporting computerized systems life cycle activities and IT and infrastructure processes.

If you need assistance updating and implementing your CSV Program, contact the experts at Xevalics Consulting today.

Let’s Connect

Get to know the Xevalics team today. We promote inclusivity, diversity, and equity. Call today for quality, project management, and risk management consulting services.